owasp-depscan 5.1.4__py3-none-any.whl → 5.1.5__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of owasp-depscan might be problematic. Click here for more details.

Files changed (12) hide show
  1. depscan/cli.py +12 -94
  2. depscan/lib/analysis.py +325 -169
  3. depscan/lib/config.py +113 -5
  4. depscan/lib/csaf.py +1327 -1451
  5. depscan/lib/logger.py +0 -1
  6. depscan/lib/orasclient.py +127 -0
  7. {owasp_depscan-5.1.4.dist-info → owasp_depscan-5.1.5.dist-info}/METADATA +41 -33
  8. {owasp_depscan-5.1.4.dist-info → owasp_depscan-5.1.5.dist-info}/RECORD +12 -11
  9. {owasp_depscan-5.1.4.dist-info → owasp_depscan-5.1.5.dist-info}/LICENSE +0 -0
  10. {owasp_depscan-5.1.4.dist-info → owasp_depscan-5.1.5.dist-info}/WHEEL +0 -0
  11. {owasp_depscan-5.1.4.dist-info → owasp_depscan-5.1.5.dist-info}/entry_points.txt +0 -0
  12. {owasp_depscan-5.1.4.dist-info → owasp_depscan-5.1.5.dist-info}/top_level.txt +0 -0
depscan/lib/csaf.py CHANGED
@@ -1,14 +1,17 @@
1
1
  import json
2
- import logging
3
2
  import os
4
3
  import re
4
+ import sys
5
5
  from copy import deepcopy
6
6
  from datetime import datetime
7
7
  from json import JSONDecodeError
8
8
 
9
+ import cvss
10
+ from cvss import CVSSError
11
+ from packageurl import PackageURL
12
+
9
13
  import toml
10
14
  from vdb.lib import convert_time
11
- from vdb.lib.utils import version_compare
12
15
 
13
16
  from depscan.lib.logger import LOG
14
17
  from depscan.lib.utils import get_version
@@ -16,1070 +19,1027 @@ from depscan.lib.utils import get_version
16
19
  TIME_FMT = "%Y-%m-%dT%H:%M:%S"
17
20
 
18
21
  CWE_MAP = {
19
- "CWE-5": "J2EE Misconfiguration: Data Transmission Without Encryption",
20
- "CWE-6": "J2EE Misconfiguration: Insufficient Session-ID Length",
21
- "CWE-7": "J2EE Misconfiguration: Missing Custom Error Page",
22
- "CWE-8": "J2EE Misconfiguration: Entity Bean Declared Remote",
23
- "CWE-9": "J2EE Misconfiguration: Weak Access Permissions for EJB Methods",
24
- "CWE-11": "ASP.NET Misconfiguration: Creating Debug Binary",
25
- "CWE-12": "ASP.NET Misconfiguration: Missing Custom Error Page",
26
- "CWE-13": "ASP.NET Misconfiguration: Password in Configuration File",
27
- "CWE-14": "Compiler Removal of Code to Clear Buffers",
28
- "CWE-15": "External Control of System or Configuration Setting",
29
- "CWE-20": "Improper Input Validation",
30
- "CWE-22": "Improper Limitation of a Pathname to a Restricted Directory",
31
- "CWE-23": "Relative Path Traversal",
32
- "CWE-24": "Path Traversal",
33
- "CWE-25": "Path Traversal",
34
- "CWE-26": "Path Traversal",
35
- "CWE-27": "Path Traversal",
36
- "CWE-28": "Path Traversal",
37
- "CWE-29": "Path Traversal",
38
- "CWE-30": "Path Traversal",
39
- "CWE-31": "Path Traversal",
40
- "CWE-32": "Path Traversal",
41
- "CWE-33": "Path Traversal",
42
- "CWE-34": "Path Traversal",
43
- "CWE-35": "Path Traversal",
44
- "CWE-36": "Absolute Path Traversal",
45
- "CWE-37": "Path Traversal",
46
- "CWE-38": "Path Traversal",
47
- "CWE-39": "Path Traversal",
48
- "CWE-40": "Path Traversal",
49
- "CWE-41": "Improper Resolution of Path Equivalence",
50
- "CWE-42": "Path Equivalence",
51
- "CWE-43": "Path Equivalence",
52
- "CWE-44": "Path Equivalence",
53
- "CWE-45": "Path Equivalence",
54
- "CWE-46": "Path Equivalence",
55
- "CWE-47": "Path Equivalence",
56
- "CWE-48": "Path Equivalence",
57
- "CWE-49": "Path Equivalence",
58
- "CWE-50": "Path Equivalence",
59
- "CWE-51": "Path Equivalence",
60
- "CWE-52": "Path Equivalence",
61
- "CWE-53": "Path Equivalence",
62
- "CWE-54": "Path Equivalence",
63
- "CWE-55": "Path Equivalence",
64
- "CWE-56": "Path Equivalence",
65
- "CWE-57": "Path Equivalence",
66
- "CWE-58": "Path Equivalence",
67
- "CWE-59": "Improper Link Resolution Before File Access",
68
- "CWE-61": "UNIX Symbolic Link",
69
- "CWE-62": "UNIX Hard Link",
70
- "CWE-64": "Windows Shortcut Following",
71
- "CWE-65": "Windows Hard Link",
72
- "CWE-66": "Improper Handling of File Names that Identify Virtual Resources",
73
- "CWE-67": "Improper Handling of Windows Device Names",
74
- "CWE-69": "Improper Handling of Windows ::DATA Alternate Data Stream",
75
- "CWE-71": "DEPRECATED: Apple .DS_Store",
76
- "CWE-72": "Improper Handling of Apple HFS+ Alternate Data Stream Path",
77
- "CWE-73": "External Control of File Name or Path",
78
- "CWE-74": "Improper Neutralization of Special Elements in Output Used by "
79
- "a Downstream Component",
80
- "CWE-75": "Failure to Sanitize Special Elements into a Different Plane",
81
- "CWE-76": "Improper Neutralization of Equivalent Special Elements",
82
- "CWE-77": "Improper Neutralization of Special Elements used in a Command",
83
- "CWE-78": "Improper Neutralization of Special Elements used in an OS "
84
- "Command",
85
- "CWE-79": "Improper Neutralization of Input During Web Page Generation",
86
- "CWE-80": "Improper Neutralization of Script-Related HTML Tags in a Web "
87
- "Page",
88
- "CWE-81": "Improper Neutralization of Script in an Error Message Web Page",
89
- "CWE-82": "Improper Neutralization of Script in Attributes of IMG Tags in "
90
- "a Web Page",
91
- "CWE-83": "Improper Neutralization of Script in Attributes in a Web Page",
92
- "CWE-84": "Improper Neutralization of Encoded URI Schemes in a Web Page",
93
- "CWE-85": "Doubled Character XSS Manipulations",
94
- "CWE-86": "Improper Neutralization of Invalid Characters in Identifiers "
95
- "in Web Pages",
96
- "CWE-87": "Improper Neutralization of Alternate XSS Syntax",
97
- "CWE-88": "Improper Neutralization of Argument Delimiters in a Command",
98
- "CWE-89": "Improper Neutralization of Special Elements used in an SQL "
99
- "Command",
100
- "CWE-90": "Improper Neutralization of Special Elements used in an LDAP "
101
- "Query",
102
- "CWE-91": "XML Injection",
103
- "CWE-92": "DEPRECATED: Improper Sanitization of Custom Special Characters",
104
- "CWE-93": "Improper Neutralization of CRLF Sequences",
105
- "CWE-94": "Improper Control of Generation of Code",
106
- "CWE-95": "Improper Neutralization of Directives in Dynamically Evaluated "
107
- "Code",
108
- "CWE-96": "Improper Neutralization of Directives in Statically Saved Code",
109
- "CWE-97": "Improper Neutralization of Server-Side Includes",
110
- "CWE-98": "Improper Control of Filename for Include/Require Statement in "
111
- "PHP Program",
112
- "CWE-99": "Improper Control of Resource Identifiers",
113
- "CWE-102": "Struts: Duplicate Validation Forms",
114
- "CWE-103": "Struts: Incomplete validate",
115
- "CWE-104": "Struts: Form Bean Does Not Extend Validation Class",
116
- "CWE-105": "Struts: Form Field Without Validator",
117
- "CWE-106": "Struts: Plug-in Framework not in Use",
118
- "CWE-107": "Struts: Unused Validation Form",
119
- "CWE-108": "Struts: Unvalidated Action Form",
120
- "CWE-109": "Struts: Validator Turned Off",
121
- "CWE-110": "Struts: Validator Without Form Field",
122
- "CWE-111": "Direct Use of Unsafe JNI",
123
- "CWE-112": "Missing XML Validation",
124
- "CWE-113": "Improper Neutralization of CRLF Sequences in HTTP Headers",
125
- "CWE-114": "Process Control",
126
- "CWE-115": "Misinterpretation of Input",
127
- "CWE-116": "Improper Encoding or Escaping of Output",
128
- "CWE-117": "Improper Output Neutralization for Logs",
129
- "CWE-118": "Incorrect Access of Indexable Resource",
130
- "CWE-119": "Improper Restriction of Operations within the Bounds of a "
131
- "Memory Buffer",
132
- "CWE-120": "Buffer Copy without Checking Size of Input",
133
- "CWE-121": "Stack-based Buffer Overflow",
134
- "CWE-122": "Heap-based Buffer Overflow",
135
- "CWE-123": "Write-what-where Condition",
136
- "CWE-124": "Buffer Underwrite",
137
- "CWE-125": "Out-of-bounds Read",
138
- "CWE-126": "Buffer Over-read",
139
- "CWE-127": "Buffer Under-read",
140
- "CWE-128": "Wrap-around Error",
141
- "CWE-129": "Improper Validation of Array Index",
142
- "CWE-130": "Improper Handling of Length Parameter Inconsistency",
143
- "CWE-131": "Incorrect Calculation of Buffer Size",
144
- "CWE-132": "DEPRECATED: Miscalculated Null Termination",
145
- "CWE-134": "Use of Externally-Controlled Format String",
146
- "CWE-135": "Incorrect Calculation of Multi-Byte String Length",
147
- "CWE-138": "Improper Neutralization of Special Elements",
148
- "CWE-140": "Improper Neutralization of Delimiters",
149
- "CWE-141": "Improper Neutralization of Parameter/Argument Delimiters",
150
- "CWE-142": "Improper Neutralization of Value Delimiters",
151
- "CWE-143": "Improper Neutralization of Record Delimiters",
152
- "CWE-144": "Improper Neutralization of Line Delimiters",
153
- "CWE-145": "Improper Neutralization of Section Delimiters",
154
- "CWE-146": "Improper Neutralization of Expression/Command Delimiters",
155
- "CWE-147": "Improper Neutralization of Input Terminators",
156
- "CWE-148": "Improper Neutralization of Input Leaders",
157
- "CWE-149": "Improper Neutralization of Quoting Syntax",
158
- "CWE-150": "Improper Neutralization of Escape, Meta, or Control Sequences",
159
- "CWE-151": "Improper Neutralization of Comment Delimiters",
160
- "CWE-152": "Improper Neutralization of Macro Symbols",
161
- "CWE-153": "Improper Neutralization of Substitution Characters",
162
- "CWE-154": "Improper Neutralization of Variable Name Delimiters",
163
- "CWE-155": "Improper Neutralization of Wildcards or Matching Symbols",
164
- "CWE-156": "Improper Neutralization of Whitespace",
165
- "CWE-157": "Failure to Sanitize Paired Delimiters",
166
- "CWE-158": "Improper Neutralization of Null Byte or NUL Character",
167
- "CWE-159": "Improper Handling of Invalid Use of Special Elements",
168
- "CWE-160": "Improper Neutralization of Leading Special Elements",
169
- "CWE-161": "Improper Neutralization of Multiple Leading Special Elements",
170
- "CWE-162": "Improper Neutralization of Trailing Special Elements",
171
- "CWE-163": "Improper Neutralization of Multiple Trailing Special Elements",
172
- "CWE-164": "Improper Neutralization of Internal Special Elements",
173
- "CWE-165": "Improper Neutralization of Multiple Internal Special Elements",
174
- "CWE-166": "Improper Handling of Missing Special Element",
175
- "CWE-167": "Improper Handling of Additional Special Element",
176
- "CWE-168": "Improper Handling of Inconsistent Special Elements",
177
- "CWE-170": "Improper Null Termination",
178
- "CWE-172": "Encoding Error",
179
- "CWE-173": "Improper Handling of Alternate Encoding",
180
- "CWE-174": "Double Decoding of the Same Data",
181
- "CWE-175": "Improper Handling of Mixed Encoding",
182
- "CWE-176": "Improper Handling of Unicode Encoding",
183
- "CWE-177": "Improper Handling of URL Encoding",
184
- "CWE-178": "Improper Handling of Case Sensitivity",
185
- "CWE-179": "Incorrect Behavior Order: Early Validation",
186
- "CWE-180": "Incorrect Behavior Order: Validate Before Canonicalize",
187
- "CWE-181": "Incorrect Behavior Order: Validate Before Filter",
188
- "CWE-182": "Collapse of Data into Unsafe Value",
189
- "CWE-183": "Permissive List of Allowed Inputs",
190
- "CWE-184": "Incomplete List of Disallowed Inputs",
191
- "CWE-185": "Incorrect Regular Expression",
192
- "CWE-186": "Overly Restrictive Regular Expression",
193
- "CWE-187": "Partial String Comparison",
194
- "CWE-188": "Reliance on Data/Memory Layout",
195
- "CWE-190": "Integer Overflow or Wraparound",
196
- "CWE-191": "Integer Underflow",
197
- "CWE-192": "Integer Coercion Error",
198
- "CWE-193": "Off-by-one Error",
199
- "CWE-194": "Unexpected Sign Extension",
200
- "CWE-195": "Signed to Unsigned Conversion Error",
201
- "CWE-196": "Unsigned to Signed Conversion Error",
202
- "CWE-197": "Numeric Truncation Error",
203
- "CWE-198": "Use of Incorrect Byte Ordering",
204
- "CWE-200": "Exposure of Sensitive Information to an Unauthorized Actor",
205
- "CWE-201": "Insertion of Sensitive Information Into Sent Data",
206
- "CWE-202": "Exposure of Sensitive Information Through Data Queries",
207
- "CWE-203": "Observable Discrepancy",
208
- "CWE-204": "Observable Response Discrepancy",
209
- "CWE-205": "Observable Behavioral Discrepancy",
210
- "CWE-206": "Observable Internal Behavioral Discrepancy",
211
- "CWE-207": "Observable Behavioral Discrepancy With Equivalent Products",
212
- "CWE-208": "Observable Timing Discrepancy",
213
- "CWE-209": "Generation of Error Message Containing Sensitive Information",
214
- "CWE-210": "Self-generated Error Message Containing Sensitive Information",
215
- "CWE-211": "Externally-Generated Error Message Containing Sensitive "
216
- "Information",
217
- "CWE-212": "Improper Removal of Sensitive Information Before Storage or "
218
- "Transfer",
219
- "CWE-213": "Exposure of Sensitive Information Due to Incompatible Policies",
220
- "CWE-214": "Invocation of Process Using Visible Sensitive Information",
221
- "CWE-215": "Insertion of Sensitive Information Into Debugging Code",
222
- "CWE-216": "DEPRECATED: Containment Errors",
223
- "CWE-217": "DEPRECATED: Failure to Protect Stored Data from Modification",
224
- "CWE-218": "DEPRECATED: Failure to provide confidentiality for stored data",
225
- "CWE-219": "Storage of File with Sensitive Data Under Web Root",
226
- "CWE-220": "Storage of File With Sensitive Data Under FTP Root",
227
- "CWE-221": "Information Loss or Omission",
228
- "CWE-222": "Truncation of Security-relevant Information",
229
- "CWE-223": "Omission of Security-relevant Information",
230
- "CWE-224": "Obscured Security-relevant Information by Alternate Name",
231
- "CWE-225": "DEPRECATED: General Information Management Problems",
232
- "CWE-226": "Sensitive Information in Resource Not Removed Before Reuse",
233
- "CWE-228": "Improper Handling of Syntactically Invalid Structure",
234
- "CWE-229": "Improper Handling of Values",
235
- "CWE-230": "Improper Handling of Missing Values",
236
- "CWE-231": "Improper Handling of Extra Values",
237
- "CWE-232": "Improper Handling of Undefined Values",
238
- "CWE-233": "Improper Handling of Parameters",
239
- "CWE-234": "Failure to Handle Missing Parameter",
240
- "CWE-235": "Improper Handling of Extra Parameters",
241
- "CWE-236": "Improper Handling of Undefined Parameters",
242
- "CWE-237": "Improper Handling of Structural Elements",
243
- "CWE-238": "Improper Handling of Incomplete Structural Elements",
244
- "CWE-239": "Failure to Handle Incomplete Element",
245
- "CWE-240": "Improper Handling of Inconsistent Structural Elements",
246
- "CWE-241": "Improper Handling of Unexpected Data Type",
247
- "CWE-242": "Use of Inherently Dangerous Function",
248
- "CWE-243": "Creation of chroot Jail Without Changing Working Directory",
249
- "CWE-244": "Improper Clearing of Heap Memory Before Release",
250
- "CWE-245": "J2EE Bad Practices: Direct Management of Connections",
251
- "CWE-246": "J2EE Bad Practices: Direct Use of Sockets",
252
- "CWE-247": "DEPRECATED: Reliance on DNS Lookups in a Security Decision",
253
- "CWE-248": "Uncaught Exception",
254
- "CWE-249": "DEPRECATED: Often Misused: Path Manipulation",
255
- "CWE-250": "Execution with Unnecessary Privileges",
256
- "CWE-252": "Unchecked Return Value",
257
- "CWE-253": "Incorrect Check of Function Return Value",
258
- "CWE-256": "Plaintext Storage of a Password",
259
- "CWE-257": "Storing Passwords in a Recoverable Format",
260
- "CWE-258": "Empty Password in Configuration File",
261
- "CWE-259": "Use of Hard-coded Password",
262
- "CWE-260": "Password in Configuration File",
263
- "CWE-261": "Weak Encoding for Password",
264
- "CWE-262": "Not Using Password Aging",
265
- "CWE-263": "Password Aging with Long Expiration",
266
- "CWE-266": "Incorrect Privilege Assignment",
267
- "CWE-267": "Privilege Defined With Unsafe Actions",
268
- "CWE-268": "Privilege Chaining",
269
- "CWE-269": "Improper Privilege Management",
270
- "CWE-270": "Privilege Context Switching Error",
271
- "CWE-271": "Privilege Dropping / Lowering Errors",
272
- "CWE-272": "Least Privilege Violation",
273
- "CWE-273": "Improper Check for Dropped Privileges",
274
- "CWE-274": "Improper Handling of Insufficient Privileges",
275
- "CWE-276": "Incorrect Default Permissions",
276
- "CWE-277": "Insecure Inherited Permissions",
277
- "CWE-278": "Insecure Preserved Inherited Permissions",
278
- "CWE-279": "Incorrect Execution-Assigned Permissions",
279
- "CWE-280": "Improper Handling of Insufficient Permissions or Privileges ",
280
- "CWE-281": "Improper Preservation of Permissions",
281
- "CWE-282": "Improper Ownership Management",
282
- "CWE-283": "Unverified Ownership",
283
- "CWE-284": "Improper Access Control",
284
- "CWE-285": "Improper Authorization",
285
- "CWE-286": "Incorrect User Management",
286
- "CWE-287": "Improper Authentication",
287
- "CWE-288": "Authentication Bypass Using an Alternate Path or Channel",
288
- "CWE-289": "Authentication Bypass by Alternate Name",
289
- "CWE-290": "Authentication Bypass by Spoofing",
290
- "CWE-291": "Reliance on IP Address for Authentication",
291
- "CWE-292": "DEPRECATED: Trusting Self-reported DNS Name",
292
- "CWE-293": "Using Referer Field for Authentication",
293
- "CWE-294": "Authentication Bypass by Capture-replay",
294
- "CWE-295": "Improper Certificate Validation",
295
- "CWE-296": "Improper Following of a Certificates Chain of Trust",
296
- "CWE-297": "Improper Validation of Certificate with Host Mismatch",
297
- "CWE-298": "Improper Validation of Certificate Expiration",
298
- "CWE-299": "Improper Check for Certificate Revocation",
299
- "CWE-300": "Channel Accessible by Non-Endpoint",
300
- "CWE-301": "Reflection Attack in an Authentication Protocol",
301
- "CWE-302": "Authentication Bypass by Assumed-Immutable Data",
302
- "CWE-303": "Incorrect Implementation of Authentication Algorithm",
303
- "CWE-304": "Missing Critical Step in Authentication",
304
- "CWE-305": "Authentication Bypass by Primary Weakness",
305
- "CWE-306": "Missing Authentication for Critical Function",
306
- "CWE-307": "Improper Restriction of Excessive Authentication Attempts",
307
- "CWE-308": "Use of Single-factor Authentication",
308
- "CWE-309": "Use of Password System for Primary Authentication",
309
- "CWE-311": "Missing Encryption of Sensitive Data",
310
- "CWE-312": "Cleartext Storage of Sensitive Information",
311
- "CWE-313": "Cleartext Storage in a File or on Disk",
312
- "CWE-314": "Cleartext Storage in the Registry",
313
- "CWE-315": "Cleartext Storage of Sensitive Information in a Cookie",
314
- "CWE-316": "Cleartext Storage of Sensitive Information in Memory",
315
- "CWE-317": "Cleartext Storage of Sensitive Information in GUI",
316
- "CWE-318": "Cleartext Storage of Sensitive Information in Executable",
317
- "CWE-319": "Cleartext Transmission of Sensitive Information",
318
- "CWE-321": "Use of Hard-coded Cryptographic Key",
319
- "CWE-322": "Key Exchange without Entity Authentication",
320
- "CWE-323": "Reusing a Nonce, Key Pair in Encryption",
321
- "CWE-324": "Use of a Key Past its Expiration Date",
322
- "CWE-325": "Missing Cryptographic Step",
323
- "CWE-326": "Inadequate Encryption Strength",
324
- "CWE-327": "Use of a Broken or Risky Cryptographic Algorithm",
325
- "CWE-328": "Use of Weak Hash",
326
- "CWE-329": "Generation of Predictable IV with CBC Mode",
327
- "CWE-330": "Use of Insufficiently Random Values",
328
- "CWE-331": "Insufficient Entropy",
329
- "CWE-332": "Insufficient Entropy in PRNG",
330
- "CWE-333": "Improper Handling of Insufficient Entropy in TRNG",
331
- "CWE-334": "Small Space of Random Values",
332
- "CWE-335": "Incorrect Usage of Seeds in Pseudo-Random Number Generator",
333
- "CWE-336": "Same Seed in Pseudo-Random Number Generator",
334
- "CWE-337": "Predictable Seed in Pseudo-Random Number Generator",
335
- "CWE-338": "Use of Cryptographically Weak Pseudo-Random Number Generator",
336
- "CWE-339": "Small Seed Space in PRNG",
337
- "CWE-340": "Generation of Predictable Numbers or Identifiers",
338
- "CWE-341": "Predictable from Observable State",
339
- "CWE-342": "Predictable Exact Value from Previous Values",
340
- "CWE-343": "Predictable Value Range from Previous Values",
341
- "CWE-344": "Use of Invariant Value in Dynamically Changing Context",
342
- "CWE-345": "Insufficient Verification of Data Authenticity",
343
- "CWE-346": "Origin Validation Error",
344
- "CWE-347": "Improper Verification of Cryptographic Signature",
345
- "CWE-348": "Use of Less Trusted Source",
346
- "CWE-349": "Acceptance of Extraneous Untrusted Data With Trusted Data",
347
- "CWE-350": "Reliance on Reverse DNS Resolution for a Security-Critical "
348
- "Action",
349
- "CWE-351": "Insufficient Type Distinction",
350
- "CWE-352": "Cross-Site Request Forgery",
351
- "CWE-353": "Missing Support for Integrity Check",
352
- "CWE-354": "Improper Validation of Integrity Check Value",
353
- "CWE-356": "Product UI does not Warn User of Unsafe Actions",
354
- "CWE-357": "Insufficient UI Warning of Dangerous Operations",
355
- "CWE-358": "Improperly Implemented Security Check for Standard",
356
- "CWE-359": "Exposure of Private Personal Information to an Unauthorized "
357
- "Actor",
358
- "CWE-360": "Trust of System Event Data",
359
- "CWE-362": "Concurrent Execution using Shared Resource with Improper "
360
- "Synchronization",
361
- "CWE-363": "Race Condition Enabling Link Following",
362
- "CWE-364": "Signal Handler Race Condition",
363
- "CWE-365": "DEPRECATED: Race Condition in Switch",
364
- "CWE-366": "Race Condition within a Thread",
365
- "CWE-367": "Time-of-check Time-of-use",
366
- "CWE-368": "Context Switching Race Condition",
367
- "CWE-369": "Divide By Zero",
368
- "CWE-370": "Missing Check for Certificate Revocation after Initial Check",
369
- "CWE-372": "Incomplete Internal State Distinction",
370
- "CWE-373": "DEPRECATED: State Synchronization Error",
371
- "CWE-374": "Passing Mutable Objects to an Untrusted Method",
372
- "CWE-375": "Returning a Mutable Object to an Untrusted Caller",
373
- "CWE-377": "Insecure Temporary File",
374
- "CWE-378": "Creation of Temporary File With Insecure Permissions",
375
- "CWE-379": "Creation of Temporary File in Directory with Insecure "
376
- "Permissions",
377
- "CWE-382": "J2EE Bad Practices: Use of System.exit",
378
- "CWE-383": "J2EE Bad Practices: Direct Use of Threads",
379
- "CWE-384": "Session Fixation",
380
- "CWE-385": "Covert Timing Channel",
381
- "CWE-386": "Symbolic Name not Mapping to Correct Object",
382
- "CWE-390": "Detection of Error Condition Without Action",
383
- "CWE-391": "Unchecked Error Condition",
384
- "CWE-392": "Missing Report of Error Condition",
385
- "CWE-393": "Return of Wrong Status Code",
386
- "CWE-394": "Unexpected Status Code or Return Value",
387
- "CWE-395": "Use of NullPointerException Catch to Detect NULL Pointer "
388
- "Dereference",
389
- "CWE-396": "Declaration of Catch for Generic Exception",
390
- "CWE-397": "Declaration of Throws for Generic Exception",
391
- "CWE-400": "Uncontrolled Resource Consumption",
392
- "CWE-401": "Missing Release of Memory after Effective Lifetime",
393
- "CWE-402": "Transmission of Private Resources into a New Sphere",
394
- "CWE-403": "Exposure of File Descriptor to Unintended Control Sphere",
395
- "CWE-404": "Improper Resource Shutdown or Release",
396
- "CWE-405": "Asymmetric Resource Consumption",
397
- "CWE-406": "Insufficient Control of Network Message Volume",
398
- "CWE-407": "Inefficient Algorithmic Complexity",
399
- "CWE-408": "Incorrect Behavior Order: Early Amplification",
400
- "CWE-409": "Improper Handling of Highly Compressed Data",
401
- "CWE-410": "Insufficient Resource Pool",
402
- "CWE-412": "Unrestricted Externally Accessible Lock",
403
- "CWE-413": "Improper Resource Locking",
404
- "CWE-414": "Missing Lock Check",
405
- "CWE-415": "Double Free",
406
- "CWE-416": "Use After Free",
407
- "CWE-419": "Unprotected Primary Channel",
408
- "CWE-420": "Unprotected Alternate Channel",
409
- "CWE-421": "Race Condition During Access to Alternate Channel",
410
- "CWE-422": "Unprotected Windows Messaging Channel",
411
- "CWE-423": "DEPRECATED: Proxied Trusted Channel",
412
- "CWE-424": "Improper Protection of Alternate Path",
413
- "CWE-425": "Direct Request",
414
- "CWE-426": "Untrusted Search Path",
415
- "CWE-427": "Uncontrolled Search Path Element",
416
- "CWE-428": "Unquoted Search Path or Element",
417
- "CWE-430": "Deployment of Wrong Handler",
418
- "CWE-431": "Missing Handler",
419
- "CWE-432": "Dangerous Signal Handler not Disabled During Sensitive "
420
- "Operations",
421
- "CWE-433": "Unparsed Raw Web Content Delivery",
422
- "CWE-434": "Unrestricted Upload of File with Dangerous Type",
423
- "CWE-435": "Improper Interaction Between Multiple Correctly-Behaving "
424
- "Entities",
425
- "CWE-436": "Interpretation Conflict",
426
- "CWE-437": "Incomplete Model of Endpoint Features",
427
- "CWE-439": "Behavioral Change in New Version or Environment",
428
- "CWE-440": "Expected Behavior Violation",
429
- "CWE-441": "Unintended Proxy or Intermediary",
430
- "CWE-443": "DEPRECATED: HTTP response splitting",
431
- "CWE-444": "Inconsistent Interpretation of HTTP Requests",
432
- "CWE-446": "UI Discrepancy for Security Feature",
433
- "CWE-447": "Unimplemented or Unsupported Feature in UI",
434
- "CWE-448": "Obsolete Feature in UI",
435
- "CWE-449": "The UI Performs the Wrong Action",
436
- "CWE-450": "Multiple Interpretations of UI Input",
437
- "CWE-451": "User Interface",
438
- "CWE-453": "Insecure Default Variable Initialization",
439
- "CWE-454": "External Initialization of Trusted Variables or Data Stores",
440
- "CWE-455": "Non-exit on Failed Initialization",
441
- "CWE-456": "Missing Initialization of a Variable",
442
- "CWE-457": "Use of Uninitialized Variable",
443
- "CWE-458": "DEPRECATED: Incorrect Initialization",
444
- "CWE-459": "Incomplete Cleanup",
445
- "CWE-460": "Improper Cleanup on Thrown Exception",
446
- "CWE-462": "Duplicate Key in Associative List",
447
- "CWE-463": "Deletion of Data Structure Sentinel",
448
- "CWE-464": "Addition of Data Structure Sentinel",
449
- "CWE-466": "Return of Pointer Value Outside of Expected Range",
450
- "CWE-467": "Use of sizeof",
451
- "CWE-468": "Incorrect Pointer Scaling",
452
- "CWE-469": "Use of Pointer Subtraction to Determine Size",
453
- "CWE-470": "Use of Externally-Controlled Input to Select Classes or Code",
454
- "CWE-471": "Modification of Assumed-Immutable Data",
455
- "CWE-472": "External Control of Assumed-Immutable Web Parameter",
456
- "CWE-473": "PHP External Variable Modification",
457
- "CWE-474": "Use of Function with Inconsistent Implementations",
458
- "CWE-475": "Undefined Behavior for Input to API",
459
- "CWE-476": "NULL Pointer Dereference",
460
- "CWE-477": "Use of Obsolete Function",
461
- "CWE-478": "Missing Default Case in Multiple Condition Expression",
462
- "CWE-479": "Signal Handler Use of a Non-reentrant Function",
463
- "CWE-480": "Use of Incorrect Operator",
464
- "CWE-481": "Assigning instead of Comparing",
465
- "CWE-482": "Comparing instead of Assigning",
466
- "CWE-483": "Incorrect Block Delimitation",
467
- "CWE-484": "Omitted Break Statement in Switch",
468
- "CWE-486": "Comparison of Classes by Name",
469
- "CWE-487": "Reliance on Package-level Scope",
470
- "CWE-488": "Exposure of Data Element to Wrong Session",
471
- "CWE-489": "Active Debug Code",
472
- "CWE-491": "Public cloneable",
473
- "CWE-492": "Use of Inner Class Containing Sensitive Data",
474
- "CWE-493": "Critical Public Variable Without Final Modifier",
475
- "CWE-494": "Download of Code Without Integrity Check",
476
- "CWE-495": "Private Data Structure Returned From A Public Method",
477
- "CWE-496": "Public Data Assigned to Private Array-Typed Field",
478
- "CWE-497": "Exposure of Sensitive System Information to an Unauthorized "
479
- "Control Sphere",
480
- "CWE-498": "Cloneable Class Containing Sensitive Information",
481
- "CWE-499": "Serializable Class Containing Sensitive Data",
482
- "CWE-500": "Public Static Field Not Marked Final",
483
- "CWE-501": "Trust Boundary Violation",
484
- "CWE-502": "Deserialization of Untrusted Data",
485
- "CWE-506": "Embedded Malicious Code",
486
- "CWE-507": "Trojan Horse",
487
- "CWE-508": "Non-Replicating Malicious Code",
488
- "CWE-509": "Replicating Malicious Code",
489
- "CWE-510": "Trapdoor",
490
- "CWE-511": "Logic/Time Bomb",
491
- "CWE-512": "Spyware",
492
- "CWE-514": "Covert Channel",
493
- "CWE-515": "Covert Storage Channel",
494
- "CWE-516": "DEPRECATED: Covert Timing Channel",
495
- "CWE-520": ".NET Misconfiguration: Use of Impersonation",
496
- "CWE-521": "Weak Password Requirements",
497
- "CWE-522": "Insufficiently Protected Credentials",
498
- "CWE-523": "Unprotected Transport of Credentials",
499
- "CWE-524": "Use of Cache Containing Sensitive Information",
500
- "CWE-525": "Use of Web Browser Cache Containing Sensitive Information",
501
- "CWE-526": "Cleartext Storage of Sensitive Information in an Environment "
502
- "Variable",
503
- "CWE-527": "Exposure of Version-Control Repository to an Unauthorized "
504
- "Control Sphere",
505
- "CWE-528": "Exposure of Core Dump File to an Unauthorized Control Sphere",
506
- "CWE-529": "Exposure of Access Control List Files to an Unauthorized "
507
- "Control Sphere",
508
- "CWE-530": "Exposure of Backup File to an Unauthorized Control Sphere",
509
- "CWE-531": "Inclusion of Sensitive Information in Test Code",
510
- "CWE-532": "Insertion of Sensitive Information into Log File",
511
- "CWE-533": "DEPRECATED: Information Exposure Through Server Log Files",
512
- "CWE-534": "DEPRECATED: Information Exposure Through Debug Log Files",
513
- "CWE-535": "Exposure of Information Through Shell Error Message",
514
- "CWE-536": "Servlet Runtime Error Message Containing Sensitive Information",
515
- "CWE-537": "Java Runtime Error Message Containing Sensitive Information",
516
- "CWE-538": "Insertion of Sensitive Information into Externally-Accessible "
517
- "File or Directory",
518
- "CWE-539": "Use of Persistent Cookies Containing Sensitive Information",
519
- "CWE-540": "Inclusion of Sensitive Information in Source Code",
520
- "CWE-541": "Inclusion of Sensitive Information in an Include File",
521
- "CWE-542": "DEPRECATED: Information Exposure Through Cleanup Log Files",
522
- "CWE-543": "Use of Singleton Pattern Without Synchronization in a "
523
- "Multithreaded Context",
524
- "CWE-544": "Missing Standardized Error Handling Mechanism",
525
- "CWE-545": "DEPRECATED: Use of Dynamic Class Loading",
526
- "CWE-546": "Suspicious Comment",
527
- "CWE-547": "Use of Hard-coded, Security-relevant Constants",
528
- "CWE-548": "Exposure of Information Through Directory Listing",
529
- "CWE-549": "Missing Password Field Masking",
530
- "CWE-550": "Server-generated Error Message Containing Sensitive "
531
- "Information",
532
- "CWE-551": "Incorrect Behavior Order: Authorization Before Parsing and "
533
- "Canonicalization",
534
- "CWE-552": "Files or Directories Accessible to External Parties",
535
- "CWE-553": "Command Shell in Externally Accessible Directory",
536
- "CWE-554": "ASP.NET Misconfiguration: Not Using Input Validation Framework",
537
- "CWE-555": "J2EE Misconfiguration: Plaintext Password in Configuration "
538
- "File",
539
- "CWE-556": "ASP.NET Misconfiguration: Use of Identity Impersonation",
540
- "CWE-558": "Use of getlogin",
541
- "CWE-560": "Use of umask",
542
- "CWE-561": "Dead Code",
543
- "CWE-562": "Return of Stack Variable Address",
544
- "CWE-563": "Assignment to Variable without Use",
545
- "CWE-564": "SQL Injection: Hibernate",
546
- "CWE-565": "Reliance on Cookies without Validation and Integrity Checking",
547
- "CWE-566": "Authorization Bypass Through User-Controlled SQL Primary Key",
548
- "CWE-567": "Unsynchronized Access to Shared Data in a Multithreaded "
549
- "Context",
550
- "CWE-568": "finalize",
551
- "CWE-570": "Expression is Always False",
552
- "CWE-571": "Expression is Always True",
553
- "CWE-572": "Call to Thread run",
554
- "CWE-573": "Improper Following of Specification by Caller",
555
- "CWE-574": "EJB Bad Practices: Use of Synchronization Primitives",
556
- "CWE-575": "EJB Bad Practices: Use of AWT Swing",
557
- "CWE-576": "EJB Bad Practices: Use of Java I/O",
558
- "CWE-577": "EJB Bad Practices: Use of Sockets",
559
- "CWE-578": "EJB Bad Practices: Use of Class Loader",
560
- "CWE-579": "J2EE Bad Practices: Non-serializable Object Stored in Session",
561
- "CWE-580": "clone",
562
- "CWE-581": "Object Model Violation: Just One of Equals and Hashcode "
563
- "Defined",
564
- "CWE-582": "Array Declared Public, Final, and Static",
565
- "CWE-583": "finalize",
566
- "CWE-584": "Return Inside Finally Block",
567
- "CWE-585": "Empty Synchronized Block",
568
- "CWE-586": "Explicit Call to Finalize",
569
- "CWE-587": "Assignment of a Fixed Address to a Pointer",
570
- "CWE-588": "Attempt to Access Child of a Non-structure Pointer",
571
- "CWE-589": "Call to Non-ubiquitous API",
572
- "CWE-590": "Free of Memory not on the Heap",
573
- "CWE-591": "Sensitive Data Storage in Improperly Locked Memory",
574
- "CWE-592": "DEPRECATED: Authentication Bypass Issues",
575
- "CWE-593": "Authentication Bypass: OpenSSL CTX Object Modified after SSL "
576
- "Objects are Created",
577
- "CWE-594": "J2EE Framework: Saving Unserializable Objects to Disk",
578
- "CWE-595": "Comparison of Object References Instead of Object Contents",
579
- "CWE-596": "DEPRECATED: Incorrect Semantic Object Comparison",
580
- "CWE-597": "Use of Wrong Operator in String Comparison",
581
- "CWE-598": "Use of GET Request Method With Sensitive Query Strings",
582
- "CWE-599": "Missing Validation of OpenSSL Certificate",
583
- "CWE-600": "Uncaught Exception in Servlet ",
584
- "CWE-601": "URL Redirection to Untrusted Site",
585
- "CWE-602": "Client-Side Enforcement of Server-Side Security",
586
- "CWE-603": "Use of Client-Side Authentication",
587
- "CWE-605": "Multiple Binds to the Same Port",
588
- "CWE-606": "Unchecked Input for Loop Condition",
589
- "CWE-607": "Public Static Final Field References Mutable Object",
590
- "CWE-608": "Struts: Non-private Field in ActionForm Class",
591
- "CWE-609": "Double-Checked Locking",
592
- "CWE-610": "Externally Controlled Reference to a Resource in Another "
593
- "Sphere",
594
- "CWE-611": "Improper Restriction of XML External Entity Reference",
595
- "CWE-612": "Improper Authorization of Index Containing Sensitive "
596
- "Information",
597
- "CWE-613": "Insufficient Session Expiration",
598
- "CWE-614": "Sensitive Cookie in HTTPS Session Without Secure Attribute",
599
- "CWE-615": "Inclusion of Sensitive Information in Source Code Comments",
600
- "CWE-616": "Incomplete Identification of Uploaded File Variables",
601
- "CWE-617": "Reachable Assertion",
602
- "CWE-618": "Exposed Unsafe ActiveX Method",
603
- "CWE-619": "Dangling Database Cursor",
604
- "CWE-620": "Unverified Password Change",
605
- "CWE-621": "Variable Extraction Error",
606
- "CWE-622": "Improper Validation of Function Hook Arguments",
607
- "CWE-623": "Unsafe ActiveX Control Marked Safe For Scripting",
608
- "CWE-624": "Executable Regular Expression Error",
609
- "CWE-625": "Permissive Regular Expression",
610
- "CWE-626": "Null Byte Interaction Error",
611
- "CWE-627": "Dynamic Variable Evaluation",
612
- "CWE-628": "Function Call with Incorrectly Specified Arguments",
613
- "CWE-636": "Not Failing Securely",
614
- "CWE-637": "Unnecessary Complexity in Protection Mechanism",
615
- "CWE-638": "Not Using Complete Mediation",
616
- "CWE-639": "Authorization Bypass Through User-Controlled Key",
617
- "CWE-640": "Weak Password Recovery Mechanism for Forgotten Password",
618
- "CWE-641": "Improper Restriction of Names for Files and Other Resources",
619
- "CWE-642": "External Control of Critical State Data",
620
- "CWE-643": "Improper Neutralization of Data within XPath Expressions",
621
- "CWE-644": "Improper Neutralization of HTTP Headers for Scripting Syntax",
622
- "CWE-645": "Overly Restrictive Account Lockout Mechanism",
623
- "CWE-646": "Reliance on File Name or Extension of Externally-Supplied File",
624
- "CWE-647": "Use of Non-Canonical URL Paths for Authorization Decisions",
625
- "CWE-648": "Incorrect Use of Privileged APIs",
626
- "CWE-649": "Reliance on Obfuscation or Encryption of Security-Relevant "
627
- "Inputs without Integrity Checking",
628
- "CWE-650": "Trusting HTTP Permission Methods on the Server Side",
629
- "CWE-651": "Exposure of WSDL File Containing Sensitive Information",
630
- "CWE-652": "Improper Neutralization of Data within XQuery Expressions",
631
- "CWE-653": "Improper Isolation or Compartmentalization",
632
- "CWE-654": "Reliance on a Single Factor in a Security Decision",
633
- "CWE-655": "Insufficient Psychological Acceptability",
634
- "CWE-656": "Reliance on Security Through Obscurity",
635
- "CWE-657": "Violation of Secure Design Principles",
636
- "CWE-662": "Improper Synchronization",
637
- "CWE-663": "Use of a Non-reentrant Function in a Concurrent Context",
638
- "CWE-664": "Improper Control of a Resource Through its Lifetime",
639
- "CWE-665": "Improper Initialization",
640
- "CWE-666": "Operation on Resource in Wrong Phase of Lifetime",
641
- "CWE-667": "Improper Locking",
642
- "CWE-668": "Exposure of Resource to Wrong Sphere",
643
- "CWE-669": "Incorrect Resource Transfer Between Spheres",
644
- "CWE-670": "Always-Incorrect Control Flow Implementation",
645
- "CWE-671": "Lack of Administrator Control over Security",
646
- "CWE-672": "Operation on a Resource after Expiration or Release",
647
- "CWE-673": "External Influence of Sphere Definition",
648
- "CWE-674": "Uncontrolled Recursion",
649
- "CWE-675": "Multiple Operations on Resource in Single-Operation Context",
650
- "CWE-676": "Use of Potentially Dangerous Function",
651
- "CWE-680": "Integer Overflow to Buffer Overflow",
652
- "CWE-681": "Incorrect Conversion between Numeric Types",
653
- "CWE-682": "Incorrect Calculation",
654
- "CWE-683": "Function Call With Incorrect Order of Arguments",
655
- "CWE-684": "Incorrect Provision of Specified Functionality",
656
- "CWE-685": "Function Call With Incorrect Number of Arguments",
657
- "CWE-686": "Function Call With Incorrect Argument Type",
658
- "CWE-687": "Function Call With Incorrectly Specified Argument Value",
659
- "CWE-688": "Function Call With Incorrect Variable or Reference as Argument",
660
- "CWE-689": "Permission Race Condition During Resource Copy",
661
- "CWE-690": "Unchecked Return Value to NULL Pointer Dereference",
662
- "CWE-691": "Insufficient Control Flow Management",
663
- "CWE-692": "Incomplete Denylist to Cross-Site Scripting",
664
- "CWE-693": "Protection Mechanism Failure",
665
- "CWE-694": "Use of Multiple Resources with Duplicate Identifier",
666
- "CWE-695": "Use of Low-Level Functionality",
667
- "CWE-696": "Incorrect Behavior Order",
668
- "CWE-697": "Incorrect Comparison",
669
- "CWE-698": "Execution After Redirect",
670
- "CWE-703": "Improper Check or Handling of Exceptional Conditions",
671
- "CWE-704": "Incorrect Type Conversion or Cast",
672
- "CWE-705": "Incorrect Control Flow Scoping",
673
- "CWE-706": "Use of Incorrectly-Resolved Name or Reference",
674
- "CWE-707": "Improper Neutralization",
675
- "CWE-708": "Incorrect Ownership Assignment",
676
- "CWE-710": "Improper Adherence to Coding Standards",
677
- "CWE-732": "Incorrect Permission Assignment for Critical Resource",
678
- "CWE-733": "Compiler Optimization Removal or Modification of "
679
- "Security-critical Code",
680
- "CWE-749": "Exposed Dangerous Method or Function",
681
- "CWE-754": "Improper Check for Unusual or Exceptional Conditions",
682
- "CWE-755": "Improper Handling of Exceptional Conditions",
683
- "CWE-756": "Missing Custom Error Page",
684
- "CWE-757": "Selection of Less-Secure Algorithm During Negotiation",
685
- "CWE-758": "Reliance on Undefined, Unspecified, or Implementation-Defined "
686
- "Behavior",
687
- "CWE-759": "Use of a One-Way Hash without a Salt",
688
- "CWE-760": "Use of a One-Way Hash with a Predictable Salt",
689
- "CWE-761": "Free of Pointer not at Start of Buffer",
690
- "CWE-762": "Mismatched Memory Management Routines",
691
- "CWE-763": "Release of Invalid Pointer or Reference",
692
- "CWE-764": "Multiple Locks of a Critical Resource",
693
- "CWE-765": "Multiple Unlocks of a Critical Resource",
694
- "CWE-766": "Critical Data Element Declared Public",
695
- "CWE-767": "Access to Critical Private Variable via Public Method",
696
- "CWE-768": "Incorrect Short Circuit Evaluation",
697
- "CWE-769": "DEPRECATED: Uncontrolled File Descriptor Consumption",
698
- "CWE-770": "Allocation of Resources Without Limits or Throttling",
699
- "CWE-771": "Missing Reference to Active Allocated Resource",
700
- "CWE-772": "Missing Release of Resource after Effective Lifetime",
701
- "CWE-773": "Missing Reference to Active File Descriptor or Handle",
702
- "CWE-774": "Allocation of File Descriptors or Handles Without Limits or "
703
- "Throttling",
704
- "CWE-775": "Missing Release of File Descriptor or Handle after Effective "
705
- "Lifetime",
706
- "CWE-776": "Improper Restriction of Recursive Entity References in DTDs",
707
- "CWE-777": "Regular Expression without Anchors",
708
- "CWE-778": "Insufficient Logging",
709
- "CWE-779": "Logging of Excessive Data",
710
- "CWE-780": "Use of RSA Algorithm without OAEP",
711
- "CWE-781": "Improper Address Validation in IOCTL with METHOD_NEITHER I/O "
712
- "Control Code",
713
- "CWE-782": "Exposed IOCTL with Insufficient Access Control",
714
- "CWE-783": "Operator Precedence Logic Error",
715
- "CWE-784": "Reliance on Cookies without Validation and Integrity Checking "
716
- "in a Security Decision",
717
- "CWE-785": "Use of Path Manipulation Function without Maximum-sized Buffer",
718
- "CWE-786": "Access of Memory Location Before Start of Buffer",
719
- "CWE-787": "Out-of-bounds Write",
720
- "CWE-788": "Access of Memory Location After End of Buffer",
721
- "CWE-789": "Memory Allocation with Excessive Size Value",
722
- "CWE-790": "Improper Filtering of Special Elements",
723
- "CWE-791": "Incomplete Filtering of Special Elements",
724
- "CWE-792": "Incomplete Filtering of One or More Instances of Special "
725
- "Elements",
726
- "CWE-793": "Only Filtering One Instance of a Special Element",
727
- "CWE-794": "Incomplete Filtering of Multiple Instances of Special Elements",
728
- "CWE-795": "Only Filtering Special Elements at a Specified Location",
729
- "CWE-796": "Only Filtering Special Elements Relative to a Marker",
730
- "CWE-797": "Only Filtering Special Elements at an Absolute Position",
731
- "CWE-798": "Use of Hard-coded Credentials",
732
- "CWE-799": "Improper Control of Interaction Frequency",
733
- "CWE-804": "Guessable CAPTCHA",
734
- "CWE-805": "Buffer Access with Incorrect Length Value",
735
- "CWE-806": "Buffer Access Using Size of Source Buffer",
736
- "CWE-807": "Reliance on Untrusted Inputs in a Security Decision",
737
- "CWE-820": "Missing Synchronization",
738
- "CWE-821": "Incorrect Synchronization",
739
- "CWE-822": "Untrusted Pointer Dereference",
740
- "CWE-823": "Use of Out-of-range Pointer Offset",
741
- "CWE-824": "Access of Uninitialized Pointer",
742
- "CWE-825": "Expired Pointer Dereference",
743
- "CWE-826": "Premature Release of Resource During Expected Lifetime",
744
- "CWE-827": "Improper Control of Document Type Definition",
745
- "CWE-828": "Signal Handler with Functionality that is not "
746
- "Asynchronous-Safe",
747
- "CWE-829": "Inclusion of Functionality from Untrusted Control Sphere",
748
- "CWE-830": "Inclusion of Web Functionality from an Untrusted Source",
749
- "CWE-831": "Signal Handler Function Associated with Multiple Signals",
750
- "CWE-832": "Unlock of a Resource that is not Locked",
751
- "CWE-833": "Deadlock",
752
- "CWE-834": "Excessive Iteration",
753
- "CWE-835": "Loop with Unreachable Exit Condition",
754
- "CWE-836": "Use of Password Hash Instead of Password for Authentication",
755
- "CWE-837": "Improper Enforcement of a Single, Unique Action",
756
- "CWE-838": "Inappropriate Encoding for Output Context",
757
- "CWE-839": "Numeric Range Comparison Without Minimum Check",
758
- "CWE-841": "Improper Enforcement of Behavioral Workflow",
759
- "CWE-842": "Placement of User into Incorrect Group",
760
- "CWE-843": "Access of Resource Using Incompatible Type",
761
- "CWE-862": "Missing Authorization",
762
- "CWE-863": "Incorrect Authorization",
763
- "CWE-908": "Use of Uninitialized Resource",
764
- "CWE-909": "Missing Initialization of Resource",
765
- "CWE-910": "Use of Expired File Descriptor",
766
- "CWE-911": "Improper Update of Reference Count",
767
- "CWE-912": "Hidden Functionality",
768
- "CWE-913": "Improper Control of Dynamically-Managed Code Resources",
769
- "CWE-914": "Improper Control of Dynamically-Identified Variables",
770
- "CWE-915": "Improperly Controlled Modification of Dynamically-Determined "
771
- "Object Attributes",
772
- "CWE-916": "Use of Password Hash With Insufficient Computational Effort",
773
- "CWE-917": "Improper Neutralization of Special Elements used in an "
774
- "Expression Language Statement",
775
- "CWE-918": "Server-Side Request Forgery",
776
- "CWE-920": "Improper Restriction of Power Consumption",
777
- "CWE-921": "Storage of Sensitive Data in a Mechanism without Access "
778
- "Control",
779
- "CWE-922": "Insecure Storage of Sensitive Information",
780
- "CWE-923": "Improper Restriction of Communication Channel to Intended "
781
- "Endpoints",
782
- "CWE-924": "Improper Enforcement of Message Integrity During Transmission "
783
- "in a Communication Channel",
784
- "CWE-925": "Improper Verification of Intent by Broadcast Receiver",
785
- "CWE-926": "Improper Export of Android Application Components",
786
- "CWE-927": "Use of Implicit Intent for Sensitive Communication",
787
- "CWE-939": "Improper Authorization in Handler for Custom URL Scheme",
788
- "CWE-940": "Improper Verification of Source of a Communication Channel",
789
- "CWE-941": "Incorrectly Specified Destination in a Communication Channel",
790
- "CWE-942": "Permissive Cross-domain Policy with Untrusted Domains",
791
- "CWE-943": "Improper Neutralization of Special Elements in Data Query "
792
- "Logic",
793
- "CWE-1004": "Sensitive Cookie Without HttpOnly Flag",
794
- "CWE-1007": "Insufficient Visual Distinction of Homoglyphs Presented to "
795
- "User",
796
- "CWE-1021": "Improper Restriction of Rendered UI Layers or Frames",
797
- "CWE-1022": "Use of Web Link to Untrusted Target with window.opener Access",
798
- "CWE-1023": "Incomplete Comparison with Missing Factors",
799
- "CWE-1024": "Comparison of Incompatible Types",
800
- "CWE-1025": "Comparison Using Wrong Factors",
801
- "CWE-1037": "Processor Optimization Removal or Modification of "
802
- "Security-critical Code",
803
- "CWE-1038": "Insecure Automated Optimizations",
804
- "CWE-1039": "Automated Recognition Mechanism with Inadequate Detection or "
805
- "Handling of Adversarial Input Perturbations",
806
- "CWE-1041": "Use of Redundant Code",
807
- "CWE-1042": "Static Member Data Element outside of a Singleton Class "
808
- "Element",
809
- "CWE-1043": "Data Element Aggregating an Excessively Large Number of "
810
- "Non-Primitive Elements",
811
- "CWE-1044": "Architecture with Number of Horizontal Layers Outside of "
812
- "Expected Range",
813
- "CWE-1045": "Parent Class with a Virtual Destructor and a Child Class "
814
- "without a Virtual Destructor",
815
- "CWE-1046": "Creation of Immutable Text Using String Concatenation",
816
- "CWE-1047": "Modules with Circular Dependencies",
817
- "CWE-1048": "Invokable Control Element with Large Number of Outward Calls",
818
- "CWE-1049": "Excessive Data Query Operations in a Large Data Table",
819
- "CWE-1050": "Excessive Platform Resource Consumption within a Loop",
820
- "CWE-1051": "Initialization with Hard-Coded Network Resource "
821
- "Configuration Data",
822
- "CWE-1052": "Excessive Use of Hard-Coded Literals in Initialization",
823
- "CWE-1053": "Missing Documentation for Design",
824
- "CWE-1054": "Invocation of a Control Element at an Unnecessarily Deep "
825
- "Horizontal Layer",
826
- "CWE-1055": "Multiple Inheritance from Concrete Classes",
827
- "CWE-1056": "Invokable Control Element with Variadic Parameters",
828
- "CWE-1057": "Data Access Operations Outside of Expected Data Manager "
829
- "Component",
830
- "CWE-1058": "Invokable Control Element in Multi-Thread Context with "
831
- "non-Final Static Storable or Member Element",
832
- "CWE-1059": "Insufficient Technical Documentation",
833
- "CWE-1060": "Excessive Number of Inefficient Server-Side Data Accesses",
834
- "CWE-1061": "Insufficient Encapsulation",
835
- "CWE-1062": "Parent Class with References to Child Class",
836
- "CWE-1063": "Creation of Class Instance within a Static Code Block",
837
- "CWE-1064": "Invokable Control Element with Signature Containing an "
838
- "Excessive Number of Parameters",
839
- "CWE-1065": "Runtime Resource Management Control Element in a Component "
840
- "Built to Run on Application Servers",
841
- "CWE-1066": "Missing Serialization Control Element",
842
- "CWE-1067": "Excessive Execution of Sequential Searches of Data Resource",
843
- "CWE-1068": "Inconsistency Between Implementation and Documented Design",
844
- "CWE-1069": "Empty Exception Block",
845
- "CWE-1070": "Serializable Data Element Containing non-Serializable Item "
846
- "Elements",
847
- "CWE-1071": "Empty Code Block",
848
- "CWE-1072": "Data Resource Access without Use of Connection Pooling",
849
- "CWE-1073": "Non-SQL Invokable Control Element with Excessive Number of "
850
- "Data Resource Accesses",
851
- "CWE-1074": "Class with Excessively Deep Inheritance",
852
- "CWE-1075": "Unconditional Control Flow Transfer outside of Switch Block",
853
- "CWE-1076": "Insufficient Adherence to Expected Conventions",
854
- "CWE-1077": "Floating Point Comparison with Incorrect Operator",
855
- "CWE-1078": "Inappropriate Source Code Style or Formatting",
856
- "CWE-1079": "Parent Class without Virtual Destructor Method",
857
- "CWE-1080": "Source Code File with Excessive Number of Lines of Code",
858
- "CWE-1082": "Class Instance Self Destruction Control Element",
859
- "CWE-1083": "Data Access from Outside Expected Data Manager Component",
860
- "CWE-1084": "Invokable Control Element with Excessive File or Data Access "
861
- "Operations",
862
- "CWE-1085": "Invokable Control Element with Excessive Volume of "
863
- "Commented-out Code",
864
- "CWE-1086": "Class with Excessive Number of Child Classes",
865
- "CWE-1087": "Class with Virtual Method without a Virtual Destructor",
866
- "CWE-1088": "Synchronous Access of Remote Resource without Timeout",
867
- "CWE-1089": "Large Data Table with Excessive Number of Indices",
868
- "CWE-1090": "Method Containing Access of a Member Element from Another "
869
- "Class",
870
- "CWE-1091": "Use of Object without Invoking Destructor Method",
871
- "CWE-1092": "Use of Same Invokable Control Element in Multiple "
872
- "Architectural Layers",
873
- "CWE-1093": "Excessively Complex Data Representation",
874
- "CWE-1094": "Excessive Index Range Scan for a Data Resource",
875
- "CWE-1095": "Loop Condition Value Update within the Loop",
876
- "CWE-1096": "Singleton Class Instance Creation without Proper Locking or "
877
- "Synchronization",
878
- "CWE-1097": "Persistent Storable Data Element without Associated "
879
- "Comparison Control Element",
880
- "CWE-1098": "Data Element containing Pointer Item without Proper Copy "
881
- "Control Element",
882
- "CWE-1099": "Inconsistent Naming Conventions for Identifiers",
883
- "CWE-1100": "Insufficient Isolation of System-Dependent Functions",
884
- "CWE-1101": "Reliance on Runtime Component in Generated Code",
885
- "CWE-1102": "Reliance on Machine-Dependent Data Representation",
886
- "CWE-1103": "Use of Platform-Dependent Third Party Components",
887
- "CWE-1104": "Use of Unmaintained Third Party Components",
888
- "CWE-1105": "Insufficient Encapsulation of Machine-Dependent Functionality",
889
- "CWE-1106": "Insufficient Use of Symbolic Constants",
890
- "CWE-1107": "Insufficient Isolation of Symbolic Constant Definitions",
891
- "CWE-1108": "Excessive Reliance on Global Variables",
892
- "CWE-1109": "Use of Same Variable for Multiple Purposes",
893
- "CWE-1110": "Incomplete Design Documentation",
894
- "CWE-1111": "Incomplete I/O Documentation",
895
- "CWE-1112": "Incomplete Documentation of Program Execution",
896
- "CWE-1113": "Inappropriate Comment Style",
897
- "CWE-1114": "Inappropriate Whitespace Style",
898
- "CWE-1115": "Source Code Element without Standard Prologue",
899
- "CWE-1116": "Inaccurate Comments",
900
- "CWE-1117": "Callable with Insufficient Behavioral Summary",
901
- "CWE-1118": "Insufficient Documentation of Error Handling Techniques",
902
- "CWE-1119": "Excessive Use of Unconditional Branching",
903
- "CWE-1120": "Excessive Code Complexity",
904
- "CWE-1121": "Excessive McCabe Cyclomatic Complexity",
905
- "CWE-1122": "Excessive Halstead Complexity",
906
- "CWE-1123": "Excessive Use of Self-Modifying Code",
907
- "CWE-1124": "Excessively Deep Nesting",
908
- "CWE-1125": "Excessive Attack Surface",
909
- "CWE-1126": "Declaration of Variable with Unnecessarily Wide Scope",
910
- "CWE-1127": "Compilation with Insufficient Warnings or Errors",
911
- "CWE-1164": "Irrelevant Code",
912
- "CWE-1173": "Improper Use of Validation Framework",
913
- "CWE-1174": "ASP.NET Misconfiguration: Improper Model Validation",
914
- "CWE-1176": "Inefficient CPU Computation",
915
- "CWE-1177": "Use of Prohibited Code",
916
- "CWE-1187": "DEPRECATED: Use of Uninitialized Resource",
917
- "CWE-1188": "Insecure Default Initialization of Resource",
918
- "CWE-1189": "Improper Isolation of Shared Resources on System-on-a-Chip",
919
- "CWE-1190": "DMA Device Enabled Too Early in Boot Phase",
920
- "CWE-1191": "On-Chip Debug and Test Interface With Improper Access Control",
921
- "CWE-1192": "System-on-Chip",
922
- "CWE-1193": "Power-On of Untrusted Execution Core Before Enabling Fabric "
923
- "Access Control",
924
- "CWE-1204": "Generation of Weak Initialization Vector",
925
- "CWE-1209": "Failure to Disable Reserved Bits",
926
- "CWE-1220": "Insufficient Granularity of Access Control",
927
- "CWE-1221": "Incorrect Register Defaults or Module Parameters",
928
- "CWE-1222": "Insufficient Granularity of Address Regions Protected by "
929
- "Register Locks",
930
- "CWE-1223": "Race Condition for Write-Once Attributes",
931
- "CWE-1224": "Improper Restriction of Write-Once Bit Fields",
932
- "CWE-1229": "Creation of Emergent Resource",
933
- "CWE-1230": "Exposure of Sensitive Information Through Metadata",
934
- "CWE-1231": "Improper Prevention of Lock Bit Modification",
935
- "CWE-1232": "Improper Lock Behavior After Power State Transition",
936
- "CWE-1233": "Security-Sensitive Hardware Controls with Missing Lock Bit "
937
- "Protection",
938
- "CWE-1234": "Hardware Internal or Debug Modes Allow Override of Locks",
939
- "CWE-1235": "Incorrect Use of Autoboxing and Unboxing for Performance "
940
- "Critical Operations",
941
- "CWE-1236": "Improper Neutralization of Formula Elements in a CSV File",
942
- "CWE-1239": "Improper Zeroization of Hardware Register",
943
- "CWE-1240": "Use of a Cryptographic Primitive with a Risky Implementation",
944
- "CWE-1241": "Use of Predictable Algorithm in Random Number Generator",
945
- "CWE-1242": "Inclusion of Undocumented Features or Chicken Bits",
946
- "CWE-1243": "Sensitive Non-Volatile Information Not Protected During Debug",
947
- "CWE-1244": "Internal Asset Exposed to Unsafe Debug Access Level or State",
948
- "CWE-1245": "Improper Finite State Machines",
949
- "CWE-1246": "Improper Write Handling in Limited-write Non-Volatile "
950
- "Memories",
951
- "CWE-1247": "Improper Protection Against Voltage and Clock Glitches",
952
- "CWE-1248": "Semiconductor Defects in Hardware Logic with "
953
- "Security-Sensitive Implications",
954
- "CWE-1249": "Application-Level Admin Tool with Inconsistent View of "
955
- "Underlying Operating System",
956
- "CWE-1250": "Improper Preservation of Consistency Between Independent "
957
- "Representations of Shared State",
958
- "CWE-1251": "Mirrored Regions with Different Values",
959
- "CWE-1252": "CPU Hardware Not Configured to Support Exclusivity of Write "
960
- "and Execute Operations",
961
- "CWE-1253": "Incorrect Selection of Fuse Values",
962
- "CWE-1254": "Incorrect Comparison Logic Granularity",
963
- "CWE-1255": "Comparison Logic is Vulnerable to Power Side-Channel Attacks",
964
- "CWE-1256": "Improper Restriction of Software Interfaces to Hardware "
965
- "Features",
966
- "CWE-1257": "Improper Access Control Applied to Mirrored or Aliased "
967
- "Memory Regions",
968
- "CWE-1258": "Exposure of Sensitive System Information Due to Uncleared "
969
- "Debug Information",
970
- "CWE-1259": "Improper Restriction of Security Token Assignment",
971
- "CWE-1260": "Improper Handling of Overlap Between Protected Memory Ranges",
972
- "CWE-1261": "Improper Handling of Single Event Upsets",
973
- "CWE-1262": "Improper Access Control for Register Interface",
974
- "CWE-1263": "Improper Physical Access Control",
975
- "CWE-1264": "Hardware Logic with Insecure De-Synchronization between "
976
- "Control and Data Channels",
977
- "CWE-1265": "Unintended Reentrant Invocation of Non-reentrant Code Via "
978
- "Nested Calls",
979
- "CWE-1266": "Improper Scrubbing of Sensitive Data from Decommissioned "
980
- "Device",
981
- "CWE-1267": "Policy Uses Obsolete Encoding",
982
- "CWE-1268": "Policy Privileges are not Assigned Consistently Between "
983
- "Control and Data Agents",
984
- "CWE-1269": "Product Released in Non-Release Configuration",
985
- "CWE-1270": "Generation of Incorrect Security Tokens",
986
- "CWE-1271": "Uninitialized Value on Reset for Registers Holding Security "
987
- "Settings",
988
- "CWE-1272": "Sensitive Information Uncleared Before Debug/Power State "
989
- "Transition",
990
- "CWE-1273": "Device Unlock Credential Sharing",
991
- "CWE-1274": "Improper Access Control for Volatile Memory Containing Boot "
992
- "Code",
993
- "CWE-1275": "Sensitive Cookie with Improper SameSite Attribute",
994
- "CWE-1276": "Hardware Child Block Incorrectly Connected to Parent System",
995
- "CWE-1277": "Firmware Not Updateable",
996
- "CWE-1278": "Missing Protection Against Hardware Reverse Engineering "
997
- "Using Integrated Circuit",
998
- "CWE-1279": "Cryptographic Operations are run Before Supporting Units are "
999
- "Ready",
1000
- "CWE-1280": "Access Control Check Implemented After Asset is Accessed",
1001
- "CWE-1281": "Sequence of Processor Instructions Leads to Unexpected "
1002
- "Behavior",
1003
- "CWE-1282": "Assumed-Immutable Data is Stored in Writable Memory",
1004
- "CWE-1283": "Mutable Attestation or Measurement Reporting Data",
1005
- "CWE-1284": "Improper Validation of Specified Quantity in Input",
1006
- "CWE-1285": "Improper Validation of Specified Index, Position, or Offset "
1007
- "in Input",
1008
- "CWE-1286": "Improper Validation of Syntactic Correctness of Input",
1009
- "CWE-1287": "Improper Validation of Specified Type of Input",
1010
- "CWE-1288": "Improper Validation of Consistency within Input",
1011
- "CWE-1289": "Improper Validation of Unsafe Equivalence in Input",
1012
- "CWE-1290": "Incorrect Decoding of Security Identifiers ",
1013
- "CWE-1291": "Public Key Re-Use for Signing both Debug and Production Code",
1014
- "CWE-1292": "Incorrect Conversion of Security Identifiers",
1015
- "CWE-1293": "Missing Source Correlation of Multiple Independent Data",
1016
- "CWE-1294": "Insecure Security Identifier Mechanism",
1017
- "CWE-1295": "Debug Messages Revealing Unnecessary Information",
1018
- "CWE-1296": "Incorrect Chaining or Granularity of Debug Components",
1019
- "CWE-1297": "Unprotected Confidential Information on Device is Accessible "
1020
- "by OSAT Vendors",
1021
- "CWE-1298": "Hardware Logic Contains Race Conditions",
1022
- "CWE-1299": "Missing Protection Mechanism for Alternate Hardware Interface",
1023
- "CWE-1300": "Improper Protection of Physical Side Channels",
1024
- "CWE-1301": "Insufficient or Incomplete Data Removal within Hardware "
1025
- "Component",
1026
- "CWE-1302": "Missing Security Identifier",
1027
- "CWE-1303": "Non-Transparent Sharing of Microarchitectural Resources",
1028
- "CWE-1304": "Improperly Preserved Integrity of Hardware Configuration "
1029
- "State During a Power Save/Restore Operation",
1030
- "CWE-1310": "Missing Ability to Patch ROM Code",
1031
- "CWE-1311": "Improper Translation of Security Attributes by Fabric Bridge",
1032
- "CWE-1312": "Missing Protection for Mirrored Regions in On-Chip Fabric "
1033
- "Firewall",
1034
- "CWE-1313": "Hardware Allows Activation of Test or Debug Logic at Runtime",
1035
- "CWE-1314": "Missing Write Protection for Parametric Data Values",
1036
- "CWE-1315": "Improper Setting of Bus Controlling Capability in Fabric "
1037
- "End-point",
1038
- "CWE-1316": "Fabric-Address Map Allows Programming of Unwarranted "
1039
- "Overlaps of Protected and Unprotected Ranges",
1040
- "CWE-1317": "Improper Access Control in Fabric Bridge",
1041
- "CWE-1318": "Missing Support for Security Features in On-chip Fabrics or "
1042
- "Buses",
1043
- "CWE-1319": "Improper Protection against Electromagnetic Fault Injection",
1044
- "CWE-1320": "Improper Protection for Outbound Error Messages and Alert "
1045
- "Signals",
1046
- "CWE-1321": "Improperly Controlled Modification of Object Prototype "
1047
- "Attributes",
1048
- "CWE-1322": "Use of Blocking Code in Single-threaded, Non-blocking Context",
1049
- "CWE-1323": "Improper Management of Sensitive Trace Data",
1050
- "CWE-1324": "DEPRECATED: Sensitive Information Accessible by Physical "
1051
- "Probing of JTAG Interface",
1052
- "CWE-1325": "Improperly Controlled Sequential Memory Allocation",
1053
- "CWE-1326": "Missing Immutable Root of Trust in Hardware",
1054
- "CWE-1327": "Binding to an Unrestricted IP Address",
1055
- "CWE-1328": "Security Version Number Mutable to Older Versions",
1056
- "CWE-1329": "Reliance on Component That is Not Updateable",
1057
- "CWE-1330": "Remanent Data Readable after Memory Erase",
1058
- "CWE-1331": "Improper Isolation of Shared Resources in Network On Chip",
1059
- "CWE-1332": "Improper Handling of Faults that Lead to Instruction Skips",
1060
- "CWE-1333": "Inefficient Regular Expression Complexity",
1061
- "CWE-1334": "Unauthorized Error Injection Can Degrade Hardware Redundancy",
1062
- "CWE-1335": "Incorrect Bitwise Shift of Integer",
1063
- "CWE-1336": "Improper Neutralization of Special Elements Used in a "
1064
- "Template Engine",
1065
- "CWE-1338": "Improper Protections Against Hardware Overheating",
1066
- "CWE-1339": "Insufficient Precision or Accuracy of a Real Number",
1067
- "CWE-1341": "Multiple Releases of Same Resource or Handle",
1068
- "CWE-1342": "Information Exposure through Microarchitectural State after "
1069
- "Transient Execution",
1070
- "CWE-1351": "Improper Handling of Hardware Behavior in Exceptionally Cold "
1071
- "Environments",
1072
- "CWE-1357": "Reliance on Insufficiently Trustworthy Component",
1073
- "CWE-1384": "Improper Handling of Physical or Environmental Conditions",
1074
- "CWE-1385": "Missing Origin Validation in WebSockets",
1075
- "CWE-1386": "Insecure Operation on Windows Junction / Mount Point",
1076
- "CWE-1389": "Incorrect Parsing of Numbers with Different Radices",
1077
- "CWE-1390": "Weak Authentication",
1078
- "CWE-1391": "Use of Weak Credentials",
1079
- "CWE-1392": "Use of Default Credentials",
1080
- "CWE-1393": "Use of Default Password",
1081
- "CWE-1394": "Use of Default Cryptographic Key",
1082
- "CWE-1395": "Dependency on Vulnerable Third-Party Component",
22
+ 5: 'J2EE Misconfiguration: Data Transmission Without Encryption',
23
+ 6: 'J2EE Misconfiguration: Insufficient Session-ID Length',
24
+ 7: 'J2EE Misconfiguration: Missing Custom Error Page',
25
+ 8: 'J2EE Misconfiguration: Entity Bean Declared Remote',
26
+ 9: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods',
27
+ 11: 'ASP.NET Misconfiguration: Creating Debug Binary',
28
+ 12: 'ASP.NET Misconfiguration: Missing Custom Error Page',
29
+ 13: 'ASP.NET Misconfiguration: Password in Configuration File',
30
+ 14: 'Compiler Removal of Code to Clear Buffers',
31
+ 15: 'External Control of System or Configuration Setting',
32
+ 20: 'Improper Input Validation',
33
+ 22: 'Improper Limitation of a Pathname to a Restricted Directory',
34
+ 23: 'Relative Path Traversal',
35
+ 24: 'Path Traversal',
36
+ 25: 'Path Traversal',
37
+ 26: 'Path Traversal',
38
+ 27: 'Path Traversal',
39
+ 28: 'Path Traversal',
40
+ 29: 'Path Traversal',
41
+ 30: 'Path Traversal',
42
+ 31: 'Path Traversal',
43
+ 32: 'Path Traversal',
44
+ 33: 'Path Traversal',
45
+ 34: 'Path Traversal',
46
+ 35: 'Path Traversal',
47
+ 36: 'Absolute Path Traversal',
48
+ 37: 'Path Traversal',
49
+ 38: 'Path Traversal',
50
+ 39: 'Path Traversal',
51
+ 40: 'Path Traversal',
52
+ 41: 'Improper Resolution of Path Equivalence',
53
+ 42: 'Path Equivalence',
54
+ 43: 'Path Equivalence',
55
+ 44: 'Path Equivalence',
56
+ 45: 'Path Equivalence',
57
+ 46: 'Path Equivalence',
58
+ 47: 'Path Equivalence',
59
+ 48: 'Path Equivalence',
60
+ 49: 'Path Equivalence',
61
+ 50: 'Path Equivalence',
62
+ 51: 'Path Equivalence',
63
+ 52: 'Path Equivalence',
64
+ 53: 'Path Equivalence',
65
+ 54: 'Path Equivalence',
66
+ 55: 'Path Equivalence',
67
+ 56: 'Path Equivalence',
68
+ 57: 'Path Equivalence',
69
+ 58: 'Path Equivalence',
70
+ 59: 'Improper Link Resolution Before File Access',
71
+ 61: 'UNIX Symbolic Link',
72
+ 62: 'UNIX Hard Link',
73
+ 64: 'Windows Shortcut Following',
74
+ 65: 'Windows Hard Link',
75
+ 66: 'Improper Handling of File Names that Identify Virtual Resources',
76
+ 67: 'Improper Handling of Windows Device Names',
77
+ 69: 'Improper Handling of Windows ::DATA Alternate Data Stream',
78
+ 71: 'DEPRECATED: Apple .DS_Store',
79
+ 72: 'Improper Handling of Apple HFS+ Alternate Data Stream Path',
80
+ 73: 'External Control of File Name or Path',
81
+ 74: 'Improper Neutralization of Special Elements in Output Used by a '
82
+ 'Downstream Component',
83
+ 75: 'Failure to Sanitize Special Elements into a Different Plane',
84
+ 76: 'Improper Neutralization of Equivalent Special Elements',
85
+ 77: 'Improper Neutralization of Special Elements used in a Command',
86
+ 78: 'Improper Neutralization of Special Elements used in an OS Command',
87
+ 79: 'Improper Neutralization of Input During Web Page Generation',
88
+ 80: 'Improper Neutralization of Script-Related HTML Tags in a Web Page',
89
+ 81: 'Improper Neutralization of Script in an Error Message Web Page',
90
+ 82: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web '
91
+ 'Page',
92
+ 83: 'Improper Neutralization of Script in Attributes in a Web Page',
93
+ 84: 'Improper Neutralization of Encoded URI Schemes in a Web Page',
94
+ 85: 'Doubled Character XSS Manipulations',
95
+ 86: 'Improper Neutralization of Invalid Characters in Identifiers in Web '
96
+ 'Pages',
97
+ 87: 'Improper Neutralization of Alternate XSS Syntax',
98
+ 88: 'Improper Neutralization of Argument Delimiters in a Command',
99
+ 89: 'Improper Neutralization of Special Elements used in an SQL Command',
100
+ 90: 'Improper Neutralization of Special Elements used in an LDAP Query',
101
+ 91: 'XML Injection',
102
+ 92: 'DEPRECATED: Improper Sanitization of Custom Special Characters',
103
+ 93: 'Improper Neutralization of CRLF Sequences',
104
+ 94: 'Improper Control of Generation of Code',
105
+ 95: 'Improper Neutralization of Directives in Dynamically Evaluated Code',
106
+ 96: 'Improper Neutralization of Directives in Statically Saved Code',
107
+ 97: 'Improper Neutralization of Server-Side Includes',
108
+ 98: 'Improper Control of Filename for Include/Require Statement in PHP '
109
+ 'Program',
110
+ 99: 'Improper Control of Resource Identifiers',
111
+ 102: 'Struts: Duplicate Validation Forms',
112
+ 103: 'Struts: Incomplete validate',
113
+ 104: 'Struts: Form Bean Does Not Extend Validation Class',
114
+ 105: 'Struts: Form Field Without Validator',
115
+ 106: 'Struts: Plug-in Framework not in Use',
116
+ 107: 'Struts: Unused Validation Form',
117
+ 108: 'Struts: Unvalidated Action Form',
118
+ 109: 'Struts: Validator Turned Off',
119
+ 110: 'Struts: Validator Without Form Field',
120
+ 111: 'Direct Use of Unsafe JNI',
121
+ 112: 'Missing XML Validation',
122
+ 113: 'Improper Neutralization of CRLF Sequences in HTTP Headers',
123
+ 114: 'Process Control',
124
+ 115: 'Misinterpretation of Input',
125
+ 116: 'Improper Encoding or Escaping of Output',
126
+ 117: 'Improper Output Neutralization for Logs',
127
+ 118: 'Incorrect Access of Indexable Resource',
128
+ 119: 'Improper Restriction of Operations within the Bounds of a Memory '
129
+ 'Buffer',
130
+ 120: 'Buffer Copy without Checking Size of Input',
131
+ 121: 'Stack-based Buffer Overflow',
132
+ 122: 'Heap-based Buffer Overflow',
133
+ 123: 'Write-what-where Condition',
134
+ 124: 'Buffer Underwrite',
135
+ 125: 'Out-of-bounds Read',
136
+ 126: 'Buffer Over-read',
137
+ 127: 'Buffer Under-read',
138
+ 128: 'Wrap-around Error',
139
+ 129: 'Improper Validation of Array Index',
140
+ 130: 'Improper Handling of Length Parameter Inconsistency',
141
+ 131: 'Incorrect Calculation of Buffer Size',
142
+ 132: 'DEPRECATED: Miscalculated Null Termination',
143
+ 134: 'Use of Externally-Controlled Format String',
144
+ 135: 'Incorrect Calculation of Multi-Byte String Length',
145
+ 138: 'Improper Neutralization of Special Elements',
146
+ 140: 'Improper Neutralization of Delimiters',
147
+ 141: 'Improper Neutralization of Parameter/Argument Delimiters',
148
+ 142: 'Improper Neutralization of Value Delimiters',
149
+ 143: 'Improper Neutralization of Record Delimiters',
150
+ 144: 'Improper Neutralization of Line Delimiters',
151
+ 145: 'Improper Neutralization of Section Delimiters',
152
+ 146: 'Improper Neutralization of Expression/Command Delimiters',
153
+ 147: 'Improper Neutralization of Input Terminators',
154
+ 148: 'Improper Neutralization of Input Leaders',
155
+ 149: 'Improper Neutralization of Quoting Syntax',
156
+ 150: 'Improper Neutralization of Escape, Meta, or Control Sequences',
157
+ 151: 'Improper Neutralization of Comment Delimiters',
158
+ 152: 'Improper Neutralization of Macro Symbols',
159
+ 153: 'Improper Neutralization of Substitution Characters',
160
+ 154: 'Improper Neutralization of Variable Name Delimiters',
161
+ 155: 'Improper Neutralization of Wildcards or Matching Symbols',
162
+ 156: 'Improper Neutralization of Whitespace',
163
+ 157: 'Failure to Sanitize Paired Delimiters',
164
+ 158: 'Improper Neutralization of Null Byte or NUL Character',
165
+ 159: 'Improper Handling of Invalid Use of Special Elements',
166
+ 160: 'Improper Neutralization of Leading Special Elements',
167
+ 161: 'Improper Neutralization of Multiple Leading Special Elements',
168
+ 162: 'Improper Neutralization of Trailing Special Elements',
169
+ 163: 'Improper Neutralization of Multiple Trailing Special Elements',
170
+ 164: 'Improper Neutralization of Internal Special Elements',
171
+ 165: 'Improper Neutralization of Multiple Internal Special Elements',
172
+ 166: 'Improper Handling of Missing Special Element',
173
+ 167: 'Improper Handling of Additional Special Element',
174
+ 168: 'Improper Handling of Inconsistent Special Elements',
175
+ 170: 'Improper Null Termination',
176
+ 172: 'Encoding Error',
177
+ 173: 'Improper Handling of Alternate Encoding',
178
+ 174: 'Double Decoding of the Same Data',
179
+ 175: 'Improper Handling of Mixed Encoding',
180
+ 176: 'Improper Handling of Unicode Encoding',
181
+ 177: 'Improper Handling of URL Encoding',
182
+ 178: 'Improper Handling of Case Sensitivity',
183
+ 179: 'Incorrect Behavior Order: Early Validation',
184
+ 180: 'Incorrect Behavior Order: Validate Before Canonicalize',
185
+ 181: 'Incorrect Behavior Order: Validate Before Filter',
186
+ 182: 'Collapse of Data into Unsafe Value',
187
+ 183: 'Permissive List of Allowed Inputs',
188
+ 184: 'Incomplete List of Disallowed Inputs',
189
+ 185: 'Incorrect Regular Expression',
190
+ 186: 'Overly Restrictive Regular Expression',
191
+ 187: 'Partial String Comparison',
192
+ 188: 'Reliance on Data/Memory Layout',
193
+ 190: 'Integer Overflow or Wraparound',
194
+ 191: 'Integer Underflow',
195
+ 192: 'Integer Coercion Error',
196
+ 193: 'Off-by-one Error',
197
+ 194: 'Unexpected Sign Extension',
198
+ 195: 'Signed to Unsigned Conversion Error',
199
+ 196: 'Unsigned to Signed Conversion Error',
200
+ 197: 'Numeric Truncation Error',
201
+ 198: 'Use of Incorrect Byte Ordering',
202
+ 200: 'Exposure of Sensitive Information to an Unauthorized Actor',
203
+ 201: 'Insertion of Sensitive Information Into Sent Data',
204
+ 202: 'Exposure of Sensitive Information Through Data Queries',
205
+ 203: 'Observable Discrepancy',
206
+ 204: 'Observable Response Discrepancy',
207
+ 205: 'Observable Behavioral Discrepancy',
208
+ 206: 'Observable Internal Behavioral Discrepancy',
209
+ 207: 'Observable Behavioral Discrepancy With Equivalent Products',
210
+ 208: 'Observable Timing Discrepancy',
211
+ 209: 'Generation of Error Message Containing Sensitive Information',
212
+ 210: 'Self-generated Error Message Containing Sensitive Information',
213
+ 211: 'Externally-Generated Error Message Containing Sensitive Information',
214
+ 212: 'Improper Removal of Sensitive Information Before Storage or Transfer',
215
+ 213: 'Exposure of Sensitive Information Due to Incompatible Policies',
216
+ 214: 'Invocation of Process Using Visible Sensitive Information',
217
+ 215: 'Insertion of Sensitive Information Into Debugging Code',
218
+ 216: 'DEPRECATED: Containment Errors',
219
+ 217: 'DEPRECATED: Failure to Protect Stored Data from Modification',
220
+ 218: 'DEPRECATED: Failure to provide confidentiality for stored data',
221
+ 219: 'Storage of File with Sensitive Data Under Web Root',
222
+ 220: 'Storage of File With Sensitive Data Under FTP Root',
223
+ 221: 'Information Loss or Omission',
224
+ 222: 'Truncation of Security-relevant Information',
225
+ 223: 'Omission of Security-relevant Information',
226
+ 224: 'Obscured Security-relevant Information by Alternate Name',
227
+ 225: 'DEPRECATED: General Information Management Problems',
228
+ 226: 'Sensitive Information in Resource Not Removed Before Reuse',
229
+ 228: 'Improper Handling of Syntactically Invalid Structure',
230
+ 229: 'Improper Handling of Values',
231
+ 230: 'Improper Handling of Missing Values',
232
+ 231: 'Improper Handling of Extra Values',
233
+ 232: 'Improper Handling of Undefined Values',
234
+ 233: 'Improper Handling of Parameters',
235
+ 234: 'Failure to Handle Missing Parameter',
236
+ 235: 'Improper Handling of Extra Parameters',
237
+ 236: 'Improper Handling of Undefined Parameters',
238
+ 237: 'Improper Handling of Structural Elements',
239
+ 238: 'Improper Handling of Incomplete Structural Elements',
240
+ 239: 'Failure to Handle Incomplete Element',
241
+ 240: 'Improper Handling of Inconsistent Structural Elements',
242
+ 241: 'Improper Handling of Unexpected Data Type',
243
+ 242: 'Use of Inherently Dangerous Function',
244
+ 243: 'Creation of chroot Jail Without Changing Working Directory',
245
+ 244: 'Improper Clearing of Heap Memory Before Release',
246
+ 245: 'J2EE Bad Practices: Direct Management of Connections',
247
+ 246: 'J2EE Bad Practices: Direct Use of Sockets',
248
+ 247: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision',
249
+ 248: 'Uncaught Exception',
250
+ 249: 'DEPRECATED: Often Misused: Path Manipulation',
251
+ 250: 'Execution with Unnecessary Privileges',
252
+ 252: 'Unchecked Return Value',
253
+ 253: 'Incorrect Check of Function Return Value',
254
+ 256: 'Plaintext Storage of a Password',
255
+ 257: 'Storing Passwords in a Recoverable Format',
256
+ 258: 'Empty Password in Configuration File',
257
+ 259: 'Use of Hard-coded Password',
258
+ 260: 'Password in Configuration File',
259
+ 261: 'Weak Encoding for Password',
260
+ 262: 'Not Using Password Aging',
261
+ 263: 'Password Aging with Long Expiration',
262
+ 266: 'Incorrect Privilege Assignment',
263
+ 267: 'Privilege Defined With Unsafe Actions',
264
+ 268: 'Privilege Chaining',
265
+ 269: 'Improper Privilege Management',
266
+ 270: 'Privilege Context Switching Error',
267
+ 271: 'Privilege Dropping / Lowering Errors',
268
+ 272: 'Least Privilege Violation',
269
+ 273: 'Improper Check for Dropped Privileges',
270
+ 274: 'Improper Handling of Insufficient Privileges',
271
+ 276: 'Incorrect Default Permissions',
272
+ 277: 'Insecure Inherited Permissions',
273
+ 278: 'Insecure Preserved Inherited Permissions',
274
+ 279: 'Incorrect Execution-Assigned Permissions',
275
+ 280: 'Improper Handling of Insufficient Permissions or Privileges ',
276
+ 281: 'Improper Preservation of Permissions',
277
+ 282: 'Improper Ownership Management',
278
+ 283: 'Unverified Ownership',
279
+ 284: 'Improper Access Control',
280
+ 285: 'Improper Authorization',
281
+ 286: 'Incorrect User Management',
282
+ 287: 'Improper Authentication',
283
+ 288: 'Authentication Bypass Using an Alternate Path or Channel',
284
+ 289: 'Authentication Bypass by Alternate Name',
285
+ 290: 'Authentication Bypass by Spoofing',
286
+ 291: 'Reliance on IP Address for Authentication',
287
+ 292: 'DEPRECATED: Trusting Self-reported DNS Name',
288
+ 293: 'Using Referer Field for Authentication',
289
+ 294: 'Authentication Bypass by Capture-replay',
290
+ 295: 'Improper Certificate Validation',
291
+ 296: 'Improper Following of a Certificates Chain of Trust',
292
+ 297: 'Improper Validation of Certificate with Host Mismatch',
293
+ 298: 'Improper Validation of Certificate Expiration',
294
+ 299: 'Improper Check for Certificate Revocation',
295
+ 300: 'Channel Accessible by Non-Endpoint',
296
+ 301: 'Reflection Attack in an Authentication Protocol',
297
+ 302: 'Authentication Bypass by Assumed-Immutable Data',
298
+ 303: 'Incorrect Implementation of Authentication Algorithm',
299
+ 304: 'Missing Critical Step in Authentication',
300
+ 305: 'Authentication Bypass by Primary Weakness',
301
+ 306: 'Missing Authentication for Critical Function',
302
+ 307: 'Improper Restriction of Excessive Authentication Attempts',
303
+ 308: 'Use of Single-factor Authentication',
304
+ 309: 'Use of Password System for Primary Authentication',
305
+ 311: 'Missing Encryption of Sensitive Data',
306
+ 312: 'Cleartext Storage of Sensitive Information',
307
+ 313: 'Cleartext Storage in a File or on Disk',
308
+ 314: 'Cleartext Storage in the Registry',
309
+ 315: 'Cleartext Storage of Sensitive Information in a Cookie',
310
+ 316: 'Cleartext Storage of Sensitive Information in Memory',
311
+ 317: 'Cleartext Storage of Sensitive Information in GUI',
312
+ 318: 'Cleartext Storage of Sensitive Information in Executable',
313
+ 319: 'Cleartext Transmission of Sensitive Information',
314
+ 321: 'Use of Hard-coded Cryptographic Key',
315
+ 322: 'Key Exchange without Entity Authentication',
316
+ 323: 'Reusing a Nonce, Key Pair in Encryption',
317
+ 324: 'Use of a Key Past its Expiration Date',
318
+ 325: 'Missing Cryptographic Step',
319
+ 326: 'Inadequate Encryption Strength',
320
+ 327: 'Use of a Broken or Risky Cryptographic Algorithm',
321
+ 328: 'Use of Weak Hash',
322
+ 329: 'Generation of Predictable IV with CBC Mode',
323
+ 330: 'Use of Insufficiently Random Values',
324
+ 331: 'Insufficient Entropy',
325
+ 332: 'Insufficient Entropy in PRNG',
326
+ 333: 'Improper Handling of Insufficient Entropy in TRNG',
327
+ 334: 'Small Space of Random Values',
328
+ 335: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator',
329
+ 336: 'Same Seed in Pseudo-Random Number Generator',
330
+ 337: 'Predictable Seed in Pseudo-Random Number Generator',
331
+ 338: 'Use of Cryptographically Weak Pseudo-Random Number Generator',
332
+ 339: 'Small Seed Space in PRNG',
333
+ 340: 'Generation of Predictable Numbers or Identifiers',
334
+ 341: 'Predictable from Observable State',
335
+ 342: 'Predictable Exact Value from Previous Values',
336
+ 343: 'Predictable Value Range from Previous Values',
337
+ 344: 'Use of Invariant Value in Dynamically Changing Context',
338
+ 345: 'Insufficient Verification of Data Authenticity',
339
+ 346: 'Origin Validation Error',
340
+ 347: 'Improper Verification of Cryptographic Signature',
341
+ 348: 'Use of Less Trusted Source',
342
+ 349: 'Acceptance of Extraneous Untrusted Data With Trusted Data',
343
+ 350: 'Reliance on Reverse DNS Resolution for a Security-Critical Action',
344
+ 351: 'Insufficient Type Distinction',
345
+ 352: 'Cross-Site Request Forgery',
346
+ 353: 'Missing Support for Integrity Check',
347
+ 354: 'Improper Validation of Integrity Check Value',
348
+ 356: 'Product UI does not Warn User of Unsafe Actions',
349
+ 357: 'Insufficient UI Warning of Dangerous Operations',
350
+ 358: 'Improperly Implemented Security Check for Standard',
351
+ 359: 'Exposure of Private Personal Information to an Unauthorized Actor',
352
+ 360: 'Trust of System Event Data',
353
+ 362: 'Concurrent Execution using Shared Resource with Improper '
354
+ 'Synchronization',
355
+ 363: 'Race Condition Enabling Link Following',
356
+ 364: 'Signal Handler Race Condition',
357
+ 365: 'DEPRECATED: Race Condition in Switch',
358
+ 366: 'Race Condition within a Thread',
359
+ 367: 'Time-of-check Time-of-use',
360
+ 368: 'Context Switching Race Condition',
361
+ 369: 'Divide By Zero',
362
+ 370: 'Missing Check for Certificate Revocation after Initial Check',
363
+ 372: 'Incomplete Internal State Distinction',
364
+ 373: 'DEPRECATED: State Synchronization Error',
365
+ 374: 'Passing Mutable Objects to an Untrusted Method',
366
+ 375: 'Returning a Mutable Object to an Untrusted Caller',
367
+ 377: 'Insecure Temporary File',
368
+ 378: 'Creation of Temporary File With Insecure Permissions',
369
+ 379: 'Creation of Temporary File in Directory with Insecure Permissions',
370
+ 382: 'J2EE Bad Practices: Use of System.exit',
371
+ 383: 'J2EE Bad Practices: Direct Use of Threads',
372
+ 384: 'Session Fixation',
373
+ 385: 'Covert Timing Channel',
374
+ 386: 'Symbolic Name not Mapping to Correct Object',
375
+ 390: 'Detection of Error Condition Without Action',
376
+ 391: 'Unchecked Error Condition',
377
+ 392: 'Missing Report of Error Condition',
378
+ 393: 'Return of Wrong Status Code',
379
+ 394: 'Unexpected Status Code or Return Value',
380
+ 395: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference',
381
+ 396: 'Declaration of Catch for Generic Exception',
382
+ 397: 'Declaration of Throws for Generic Exception',
383
+ 400: 'Uncontrolled Resource Consumption',
384
+ 401: 'Missing Release of Memory after Effective Lifetime',
385
+ 402: 'Transmission of Private Resources into a New Sphere',
386
+ 403: 'Exposure of File Descriptor to Unintended Control Sphere',
387
+ 404: 'Improper Resource Shutdown or Release',
388
+ 405: 'Asymmetric Resource Consumption',
389
+ 406: 'Insufficient Control of Network Message Volume',
390
+ 407: 'Inefficient Algorithmic Complexity',
391
+ 408: 'Incorrect Behavior Order: Early Amplification',
392
+ 409: 'Improper Handling of Highly Compressed Data',
393
+ 410: 'Insufficient Resource Pool',
394
+ 412: 'Unrestricted Externally Accessible Lock',
395
+ 413: 'Improper Resource Locking',
396
+ 414: 'Missing Lock Check',
397
+ 415: 'Double Free',
398
+ 416: 'Use After Free',
399
+ 419: 'Unprotected Primary Channel',
400
+ 420: 'Unprotected Alternate Channel',
401
+ 421: 'Race Condition During Access to Alternate Channel',
402
+ 422: 'Unprotected Windows Messaging Channel',
403
+ 423: 'DEPRECATED: Proxied Trusted Channel',
404
+ 424: 'Improper Protection of Alternate Path',
405
+ 425: 'Direct Request',
406
+ 426: 'Untrusted Search Path',
407
+ 427: 'Uncontrolled Search Path Element',
408
+ 428: 'Unquoted Search Path or Element',
409
+ 430: 'Deployment of Wrong Handler',
410
+ 431: 'Missing Handler',
411
+ 432: 'Dangerous Signal Handler not Disabled During Sensitive Operations',
412
+ 433: 'Unparsed Raw Web Content Delivery',
413
+ 434: 'Unrestricted Upload of File with Dangerous Type',
414
+ 435: 'Improper Interaction Between Multiple Correctly-Behaving Entities',
415
+ 436: 'Interpretation Conflict',
416
+ 437: 'Incomplete Model of Endpoint Features',
417
+ 439: 'Behavioral Change in New Version or Environment',
418
+ 440: 'Expected Behavior Violation',
419
+ 441: 'Unintended Proxy or Intermediary',
420
+ 443: 'DEPRECATED: HTTP response splitting',
421
+ 444: 'Inconsistent Interpretation of HTTP Requests',
422
+ 446: 'UI Discrepancy for Security Feature',
423
+ 447: 'Unimplemented or Unsupported Feature in UI',
424
+ 448: 'Obsolete Feature in UI',
425
+ 449: 'The UI Performs the Wrong Action',
426
+ 450: 'Multiple Interpretations of UI Input',
427
+ 451: 'User Interface',
428
+ 453: 'Insecure Default Variable Initialization',
429
+ 454: 'External Initialization of Trusted Variables or Data Stores',
430
+ 455: 'Non-exit on Failed Initialization',
431
+ 456: 'Missing Initialization of a Variable',
432
+ 457: 'Use of Uninitialized Variable',
433
+ 458: 'DEPRECATED: Incorrect Initialization',
434
+ 459: 'Incomplete Cleanup',
435
+ 460: 'Improper Cleanup on Thrown Exception',
436
+ 462: 'Duplicate Key in Associative List',
437
+ 463: 'Deletion of Data Structure Sentinel',
438
+ 464: 'Addition of Data Structure Sentinel',
439
+ 466: 'Return of Pointer Value Outside of Expected Range',
440
+ 467: 'Use of sizeof',
441
+ 468: 'Incorrect Pointer Scaling',
442
+ 469: 'Use of Pointer Subtraction to Determine Size',
443
+ 470: 'Use of Externally-Controlled Input to Select Classes or Code',
444
+ 471: 'Modification of Assumed-Immutable Data',
445
+ 472: 'External Control of Assumed-Immutable Web Parameter',
446
+ 473: 'PHP External Variable Modification',
447
+ 474: 'Use of Function with Inconsistent Implementations',
448
+ 475: 'Undefined Behavior for Input to API',
449
+ 476: 'NULL Pointer Dereference',
450
+ 477: 'Use of Obsolete Function',
451
+ 478: 'Missing Default Case in Multiple Condition Expression',
452
+ 479: 'Signal Handler Use of a Non-reentrant Function',
453
+ 480: 'Use of Incorrect Operator',
454
+ 481: 'Assigning instead of Comparing',
455
+ 482: 'Comparing instead of Assigning',
456
+ 483: 'Incorrect Block Delimitation',
457
+ 484: 'Omitted Break Statement in Switch',
458
+ 486: 'Comparison of Classes by Name',
459
+ 487: 'Reliance on Package-level Scope',
460
+ 488: 'Exposure of Data Element to Wrong Session',
461
+ 489: 'Active Debug Code',
462
+ 491: 'Public cloneable',
463
+ 492: 'Use of Inner Class Containing Sensitive Data',
464
+ 493: 'Critical Public Variable Without Final Modifier',
465
+ 494: 'Download of Code Without Integrity Check',
466
+ 495: 'Private Data Structure Returned From A Public Method',
467
+ 496: 'Public Data Assigned to Private Array-Typed Field',
468
+ 497: 'Exposure of Sensitive System Information to an Unauthorized Control '
469
+ 'Sphere',
470
+ 498: 'Cloneable Class Containing Sensitive Information',
471
+ 499: 'Serializable Class Containing Sensitive Data',
472
+ 500: 'Public Static Field Not Marked Final',
473
+ 501: 'Trust Boundary Violation',
474
+ 502: 'Deserialization of Untrusted Data',
475
+ 506: 'Embedded Malicious Code',
476
+ 507: 'Trojan Horse',
477
+ 508: 'Non-Replicating Malicious Code',
478
+ 509: 'Replicating Malicious Code',
479
+ 510: 'Trapdoor',
480
+ 511: 'Logic/Time Bomb',
481
+ 512: 'Spyware',
482
+ 514: 'Covert Channel',
483
+ 515: 'Covert Storage Channel',
484
+ 516: 'DEPRECATED: Covert Timing Channel',
485
+ 520: '.NET Misconfiguration: Use of Impersonation',
486
+ 521: 'Weak Password Requirements',
487
+ 522: 'Insufficiently Protected Credentials',
488
+ 523: 'Unprotected Transport of Credentials',
489
+ 524: 'Use of Cache Containing Sensitive Information',
490
+ 525: 'Use of Web Browser Cache Containing Sensitive Information',
491
+ 526: 'Cleartext Storage of Sensitive Information in an Environment '
492
+ 'Variable',
493
+ 527: 'Exposure of Version-Control Repository to an Unauthorized Control '
494
+ 'Sphere',
495
+ 528: 'Exposure of Core Dump File to an Unauthorized Control Sphere',
496
+ 529: 'Exposure of Access Control List Files to an Unauthorized Control '
497
+ 'Sphere',
498
+ 530: 'Exposure of Backup File to an Unauthorized Control Sphere',
499
+ 531: 'Inclusion of Sensitive Information in Test Code',
500
+ 532: 'Insertion of Sensitive Information into Log File',
501
+ 533: 'DEPRECATED: Information Exposure Through Server Log Files',
502
+ 534: 'DEPRECATED: Information Exposure Through Debug Log Files',
503
+ 535: 'Exposure of Information Through Shell Error Message',
504
+ 536: 'Servlet Runtime Error Message Containing Sensitive Information',
505
+ 537: 'Java Runtime Error Message Containing Sensitive Information',
506
+ 538: 'Insertion of Sensitive Information into Externally-Accessible File or'
507
+ ' Directory',
508
+ 539: 'Use of Persistent Cookies Containing Sensitive Information',
509
+ 540: 'Inclusion of Sensitive Information in Source Code',
510
+ 541: 'Inclusion of Sensitive Information in an Include File',
511
+ 542: 'DEPRECATED: Information Exposure Through Cleanup Log Files',
512
+ 543: 'Use of Singleton Pattern Without Synchronization in a Multithreaded '
513
+ 'Context',
514
+ 544: 'Missing Standardized Error Handling Mechanism',
515
+ 545: 'DEPRECATED: Use of Dynamic Class Loading',
516
+ 546: 'Suspicious Comment',
517
+ 547: 'Use of Hard-coded, Security-relevant Constants',
518
+ 548: 'Exposure of Information Through Directory Listing',
519
+ 549: 'Missing Password Field Masking',
520
+ 550: 'Server-generated Error Message Containing Sensitive Information',
521
+ 551: 'Incorrect Behavior Order: Authorization Before Parsing and '
522
+ 'Canonicalization',
523
+ 552: 'Files or Directories Accessible to External Parties',
524
+ 553: 'Command Shell in Externally Accessible Directory',
525
+ 554: 'ASP.NET Misconfiguration: Not Using Input Validation Framework',
526
+ 555: 'J2EE Misconfiguration: Plaintext Password in Configuration File',
527
+ 556: 'ASP.NET Misconfiguration: Use of Identity Impersonation',
528
+ 558: 'Use of getlogin',
529
+ 560: 'Use of umask',
530
+ 561: 'Dead Code',
531
+ 562: 'Return of Stack Variable Address',
532
+ 563: 'Assignment to Variable without Use',
533
+ 564: 'SQL Injection: Hibernate',
534
+ 565: 'Reliance on Cookies without Validation and Integrity Checking',
535
+ 566: 'Authorization Bypass Through User-Controlled SQL Primary Key',
536
+ 567: 'Unsynchronized Access to Shared Data in a Multithreaded Context',
537
+ 568: 'finalize',
538
+ 570: 'Expression is Always False',
539
+ 571: 'Expression is Always True',
540
+ 572: 'Call to Thread run',
541
+ 573: 'Improper Following of Specification by Caller',
542
+ 574: 'EJB Bad Practices: Use of Synchronization Primitives',
543
+ 575: 'EJB Bad Practices: Use of AWT Swing',
544
+ 576: 'EJB Bad Practices: Use of Java I/O',
545
+ 577: 'EJB Bad Practices: Use of Sockets',
546
+ 578: 'EJB Bad Practices: Use of Class Loader',
547
+ 579: 'J2EE Bad Practices: Non-serializable Object Stored in Session',
548
+ 580: 'clone',
549
+ 581: 'Object Model Violation: Just One of Equals and Hashcode Defined',
550
+ 582: 'Array Declared Public, Final, and Static',
551
+ 583: 'finalize',
552
+ 584: 'Return Inside Finally Block',
553
+ 585: 'Empty Synchronized Block',
554
+ 586: 'Explicit Call to Finalize',
555
+ 587: 'Assignment of a Fixed Address to a Pointer',
556
+ 588: 'Attempt to Access Child of a Non-structure Pointer',
557
+ 589: 'Call to Non-ubiquitous API',
558
+ 590: 'Free of Memory not on the Heap',
559
+ 591: 'Sensitive Data Storage in Improperly Locked Memory',
560
+ 592: 'DEPRECATED: Authentication Bypass Issues',
561
+ 593: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects '
562
+ 'are Created',
563
+ 594: 'J2EE Framework: Saving Unserializable Objects to Disk',
564
+ 595: 'Comparison of Object References Instead of Object Contents',
565
+ 596: 'DEPRECATED: Incorrect Semantic Object Comparison',
566
+ 597: 'Use of Wrong Operator in String Comparison',
567
+ 598: 'Use of GET Request Method With Sensitive Query Strings',
568
+ 599: 'Missing Validation of OpenSSL Certificate',
569
+ 600: 'Uncaught Exception in Servlet ',
570
+ 601: 'URL Redirection to Untrusted Site',
571
+ 602: 'Client-Side Enforcement of Server-Side Security',
572
+ 603: 'Use of Client-Side Authentication',
573
+ 605: 'Multiple Binds to the Same Port',
574
+ 606: 'Unchecked Input for Loop Condition',
575
+ 607: 'Public Static Final Field References Mutable Object',
576
+ 608: 'Struts: Non-private Field in ActionForm Class',
577
+ 609: 'Double-Checked Locking',
578
+ 610: 'Externally Controlled Reference to a Resource in Another Sphere',
579
+ 611: 'Improper Restriction of XML External Entity Reference',
580
+ 612: 'Improper Authorization of Index Containing Sensitive Information',
581
+ 613: 'Insufficient Session Expiration',
582
+ 614: 'Sensitive Cookie in HTTPS Session Without Secure Attribute',
583
+ 615: 'Inclusion of Sensitive Information in Source Code Comments',
584
+ 616: 'Incomplete Identification of Uploaded File Variables',
585
+ 617: 'Reachable Assertion',
586
+ 618: 'Exposed Unsafe ActiveX Method',
587
+ 619: 'Dangling Database Cursor',
588
+ 620: 'Unverified Password Change',
589
+ 621: 'Variable Extraction Error',
590
+ 622: 'Improper Validation of Function Hook Arguments',
591
+ 623: 'Unsafe ActiveX Control Marked Safe For Scripting',
592
+ 624: 'Executable Regular Expression Error',
593
+ 625: 'Permissive Regular Expression',
594
+ 626: 'Null Byte Interaction Error',
595
+ 627: 'Dynamic Variable Evaluation',
596
+ 628: 'Function Call with Incorrectly Specified Arguments',
597
+ 636: 'Not Failing Securely',
598
+ 637: 'Unnecessary Complexity in Protection Mechanism',
599
+ 638: 'Not Using Complete Mediation',
600
+ 639: 'Authorization Bypass Through User-Controlled Key',
601
+ 640: 'Weak Password Recovery Mechanism for Forgotten Password',
602
+ 641: 'Improper Restriction of Names for Files and Other Resources',
603
+ 642: 'External Control of Critical State Data',
604
+ 643: 'Improper Neutralization of Data within XPath Expressions',
605
+ 644: 'Improper Neutralization of HTTP Headers for Scripting Syntax',
606
+ 645: 'Overly Restrictive Account Lockout Mechanism',
607
+ 646: 'Reliance on File Name or Extension of Externally-Supplied File',
608
+ 647: 'Use of Non-Canonical URL Paths for Authorization Decisions',
609
+ 648: 'Incorrect Use of Privileged APIs',
610
+ 649: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs '
611
+ 'without Integrity Checking',
612
+ 650: 'Trusting HTTP Permission Methods on the Server Side',
613
+ 651: 'Exposure of WSDL File Containing Sensitive Information',
614
+ 652: 'Improper Neutralization of Data within XQuery Expressions',
615
+ 653: 'Improper Isolation or Compartmentalization',
616
+ 654: 'Reliance on a Single Factor in a Security Decision',
617
+ 655: 'Insufficient Psychological Acceptability',
618
+ 656: 'Reliance on Security Through Obscurity',
619
+ 657: 'Violation of Secure Design Principles',
620
+ 662: 'Improper Synchronization',
621
+ 663: 'Use of a Non-reentrant Function in a Concurrent Context',
622
+ 664: 'Improper Control of a Resource Through its Lifetime',
623
+ 665: 'Improper Initialization',
624
+ 666: 'Operation on Resource in Wrong Phase of Lifetime',
625
+ 667: 'Improper Locking',
626
+ 668: 'Exposure of Resource to Wrong Sphere',
627
+ 669: 'Incorrect Resource Transfer Between Spheres',
628
+ 670: 'Always-Incorrect Control Flow Implementation',
629
+ 671: 'Lack of Administrator Control over Security',
630
+ 672: 'Operation on a Resource after Expiration or Release',
631
+ 673: 'External Influence of Sphere Definition',
632
+ 674: 'Uncontrolled Recursion',
633
+ 675: 'Multiple Operations on Resource in Single-Operation Context',
634
+ 676: 'Use of Potentially Dangerous Function',
635
+ 680: 'Integer Overflow to Buffer Overflow',
636
+ 681: 'Incorrect Conversion between Numeric Types',
637
+ 682: 'Incorrect Calculation',
638
+ 683: 'Function Call With Incorrect Order of Arguments',
639
+ 684: 'Incorrect Provision of Specified Functionality',
640
+ 685: 'Function Call With Incorrect Number of Arguments',
641
+ 686: 'Function Call With Incorrect Argument Type',
642
+ 687: 'Function Call With Incorrectly Specified Argument Value',
643
+ 688: 'Function Call With Incorrect Variable or Reference as Argument',
644
+ 689: 'Permission Race Condition During Resource Copy',
645
+ 690: 'Unchecked Return Value to NULL Pointer Dereference',
646
+ 691: 'Insufficient Control Flow Management',
647
+ 692: 'Incomplete Denylist to Cross-Site Scripting',
648
+ 693: 'Protection Mechanism Failure',
649
+ 694: 'Use of Multiple Resources with Duplicate Identifier',
650
+ 695: 'Use of Low-Level Functionality',
651
+ 696: 'Incorrect Behavior Order',
652
+ 697: 'Incorrect Comparison',
653
+ 698: 'Execution After Redirect',
654
+ 703: 'Improper Check or Handling of Exceptional Conditions',
655
+ 704: 'Incorrect Type Conversion or Cast',
656
+ 705: 'Incorrect Control Flow Scoping',
657
+ 706: 'Use of Incorrectly-Resolved Name or Reference',
658
+ 707: 'Improper Neutralization',
659
+ 708: 'Incorrect Ownership Assignment',
660
+ 710: 'Improper Adherence to Coding Standards',
661
+ 732: 'Incorrect Permission Assignment for Critical Resource',
662
+ 733: 'Compiler Optimization Removal or Modification of Security-critical '
663
+ 'Code',
664
+ 749: 'Exposed Dangerous Method or Function',
665
+ 754: 'Improper Check for Unusual or Exceptional Conditions',
666
+ 755: 'Improper Handling of Exceptional Conditions',
667
+ 756: 'Missing Custom Error Page',
668
+ 757: 'Selection of Less-Secure Algorithm During Negotiation',
669
+ 758: 'Reliance on Undefined, Unspecified, or Implementation-Defined '
670
+ 'Behavior',
671
+ 759: 'Use of a One-Way Hash without a Salt',
672
+ 760: 'Use of a One-Way Hash with a Predictable Salt',
673
+ 761: 'Free of Pointer not at Start of Buffer',
674
+ 762: 'Mismatched Memory Management Routines',
675
+ 763: 'Release of Invalid Pointer or Reference',
676
+ 764: 'Multiple Locks of a Critical Resource',
677
+ 765: 'Multiple Unlocks of a Critical Resource',
678
+ 766: 'Critical Data Element Declared Public',
679
+ 767: 'Access to Critical Private Variable via Public Method',
680
+ 768: 'Incorrect Short Circuit Evaluation',
681
+ 769: 'DEPRECATED: Uncontrolled File Descriptor Consumption',
682
+ 770: 'Allocation of Resources Without Limits or Throttling',
683
+ 771: 'Missing Reference to Active Allocated Resource',
684
+ 772: 'Missing Release of Resource after Effective Lifetime',
685
+ 773: 'Missing Reference to Active File Descriptor or Handle',
686
+ 774: 'Allocation of File Descriptors or Handles Without Limits or '
687
+ 'Throttling',
688
+ 775: 'Missing Release of File Descriptor or Handle after Effective '
689
+ 'Lifetime',
690
+ 776: 'Improper Restriction of Recursive Entity References in DTDs',
691
+ 777: 'Regular Expression without Anchors',
692
+ 778: 'Insufficient Logging',
693
+ 779: 'Logging of Excessive Data',
694
+ 780: 'Use of RSA Algorithm without OAEP',
695
+ 781: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control '
696
+ 'Code',
697
+ 782: 'Exposed IOCTL with Insufficient Access Control',
698
+ 783: 'Operator Precedence Logic Error',
699
+ 784: 'Reliance on Cookies without Validation and Integrity Checking in a '
700
+ 'Security Decision',
701
+ 785: 'Use of Path Manipulation Function without Maximum-sized Buffer',
702
+ 786: 'Access of Memory Location Before Start of Buffer',
703
+ 787: 'Out-of-bounds Write',
704
+ 788: 'Access of Memory Location After End of Buffer',
705
+ 789: 'Memory Allocation with Excessive Size Value',
706
+ 790: 'Improper Filtering of Special Elements',
707
+ 791: 'Incomplete Filtering of Special Elements',
708
+ 792: 'Incomplete Filtering of One or More Instances of Special Elements',
709
+ 793: 'Only Filtering One Instance of a Special Element',
710
+ 794: 'Incomplete Filtering of Multiple Instances of Special Elements',
711
+ 795: 'Only Filtering Special Elements at a Specified Location',
712
+ 796: 'Only Filtering Special Elements Relative to a Marker',
713
+ 797: 'Only Filtering Special Elements at an Absolute Position',
714
+ 798: 'Use of Hard-coded Credentials',
715
+ 799: 'Improper Control of Interaction Frequency',
716
+ 804: 'Guessable CAPTCHA',
717
+ 805: 'Buffer Access with Incorrect Length Value',
718
+ 806: 'Buffer Access Using Size of Source Buffer',
719
+ 807: 'Reliance on Untrusted Inputs in a Security Decision',
720
+ 820: 'Missing Synchronization',
721
+ 821: 'Incorrect Synchronization',
722
+ 822: 'Untrusted Pointer Dereference',
723
+ 823: 'Use of Out-of-range Pointer Offset',
724
+ 824: 'Access of Uninitialized Pointer',
725
+ 825: 'Expired Pointer Dereference',
726
+ 826: 'Premature Release of Resource During Expected Lifetime',
727
+ 827: 'Improper Control of Document Type Definition',
728
+ 828: 'Signal Handler with Functionality that is not Asynchronous-Safe',
729
+ 829: 'Inclusion of Functionality from Untrusted Control Sphere',
730
+ 830: 'Inclusion of Web Functionality from an Untrusted Source',
731
+ 831: 'Signal Handler Function Associated with Multiple Signals',
732
+ 832: 'Unlock of a Resource that is not Locked',
733
+ 833: 'Deadlock',
734
+ 834: 'Excessive Iteration',
735
+ 835: 'Loop with Unreachable Exit Condition',
736
+ 836: 'Use of Password Hash Instead of Password for Authentication',
737
+ 837: 'Improper Enforcement of a Single, Unique Action',
738
+ 838: 'Inappropriate Encoding for Output Context',
739
+ 839: 'Numeric Range Comparison Without Minimum Check',
740
+ 841: 'Improper Enforcement of Behavioral Workflow',
741
+ 842: 'Placement of User into Incorrect Group',
742
+ 843: 'Access of Resource Using Incompatible Type',
743
+ 862: 'Missing Authorization',
744
+ 863: 'Incorrect Authorization',
745
+ 908: 'Use of Uninitialized Resource',
746
+ 909: 'Missing Initialization of Resource',
747
+ 910: 'Use of Expired File Descriptor',
748
+ 911: 'Improper Update of Reference Count',
749
+ 912: 'Hidden Functionality',
750
+ 913: 'Improper Control of Dynamically-Managed Code Resources',
751
+ 914: 'Improper Control of Dynamically-Identified Variables',
752
+ 915: 'Improperly Controlled Modification of Dynamically-Determined Object '
753
+ 'Attributes',
754
+ 916: 'Use of Password Hash With Insufficient Computational Effort',
755
+ 917: 'Improper Neutralization of Special Elements used in an Expression '
756
+ 'Language Statement',
757
+ 918: 'Server-Side Request Forgery',
758
+ 920: 'Improper Restriction of Power Consumption',
759
+ 921: 'Storage of Sensitive Data in a Mechanism without Access Control',
760
+ 922: 'Insecure Storage of Sensitive Information',
761
+ 923: 'Improper Restriction of Communication Channel to Intended Endpoints',
762
+ 924: 'Improper Enforcement of Message Integrity During Transmission in a '
763
+ 'Communication Channel',
764
+ 925: 'Improper Verification of Intent by Broadcast Receiver',
765
+ 926: 'Improper Export of Android Application Components',
766
+ 927: 'Use of Implicit Intent for Sensitive Communication',
767
+ 939: 'Improper Authorization in Handler for Custom URL Scheme',
768
+ 940: 'Improper Verification of Source of a Communication Channel',
769
+ 941: 'Incorrectly Specified Destination in a Communication Channel',
770
+ 942: 'Permissive Cross-domain Policy with Untrusted Domains',
771
+ 943: 'Improper Neutralization of Special Elements in Data Query Logic',
772
+ 1004: 'Sensitive Cookie Without HttpOnly Flag',
773
+ 1007: 'Insufficient Visual Distinction of Homoglyphs Presented to User',
774
+ 1021: 'Improper Restriction of Rendered UI Layers or Frames',
775
+ 1022: 'Use of Web Link to Untrusted Target with window.opener Access',
776
+ 1023: 'Incomplete Comparison with Missing Factors',
777
+ 1024: 'Comparison of Incompatible Types',
778
+ 1025: 'Comparison Using Wrong Factors',
779
+ 1037: 'Processor Optimization Removal or Modification of '
780
+ 'Security-critical Code',
781
+ 1038: 'Insecure Automated Optimizations',
782
+ 1039: 'Automated Recognition Mechanism with Inadequate Detection or '
783
+ 'Handling of Adversarial Input Perturbations',
784
+ 1041: 'Use of Redundant Code',
785
+ 1042: 'Static Member Data Element outside of a Singleton Class Element',
786
+ 1043: 'Data Element Aggregating an Excessively Large Number of '
787
+ 'Non-Primitive Elements',
788
+ 1044: 'Architecture with Number of Horizontal Layers Outside of Expected '
789
+ 'Range',
790
+ 1045: 'Parent Class with a Virtual Destructor and a Child Class without a '
791
+ 'Virtual Destructor',
792
+ 1046: 'Creation of Immutable Text Using String Concatenation',
793
+ 1047: 'Modules with Circular Dependencies',
794
+ 1048: 'Invokable Control Element with Large Number of Outward Calls',
795
+ 1049: 'Excessive Data Query Operations in a Large Data Table',
796
+ 1050: 'Excessive Platform Resource Consumption within a Loop',
797
+ 1051: 'Initialization with Hard-Coded Network Resource Configuration Data',
798
+ 1052: 'Excessive Use of Hard-Coded Literals in Initialization',
799
+ 1053: 'Missing Documentation for Design',
800
+ 1054: 'Invocation of a Control Element at an Unnecessarily Deep '
801
+ 'Horizontal Layer',
802
+ 1055: 'Multiple Inheritance from Concrete Classes',
803
+ 1056: 'Invokable Control Element with Variadic Parameters',
804
+ 1057: 'Data Access Operations Outside of Expected Data Manager Component',
805
+ 1058: 'Invokable Control Element in Multi-Thread Context with non-Final '
806
+ 'Static Storable or Member Element',
807
+ 1059: 'Insufficient Technical Documentation',
808
+ 1060: 'Excessive Number of Inefficient Server-Side Data Accesses',
809
+ 1061: 'Insufficient Encapsulation',
810
+ 1062: 'Parent Class with References to Child Class',
811
+ 1063: 'Creation of Class Instance within a Static Code Block',
812
+ 1064: 'Invokable Control Element with Signature Containing an Excessive '
813
+ 'Number of Parameters',
814
+ 1065: 'Runtime Resource Management Control Element in a Component Built '
815
+ 'to Run on Application Servers',
816
+ 1066: 'Missing Serialization Control Element',
817
+ 1067: 'Excessive Execution of Sequential Searches of Data Resource',
818
+ 1068: 'Inconsistency Between Implementation and Documented Design',
819
+ 1069: 'Empty Exception Block',
820
+ 1070: 'Serializable Data Element Containing non-Serializable Item Elements',
821
+ 1071: 'Empty Code Block',
822
+ 1072: 'Data Resource Access without Use of Connection Pooling',
823
+ 1073: 'Non-SQL Invokable Control Element with Excessive Number of Data '
824
+ 'Resource Accesses',
825
+ 1074: 'Class with Excessively Deep Inheritance',
826
+ 1075: 'Unconditional Control Flow Transfer outside of Switch Block',
827
+ 1076: 'Insufficient Adherence to Expected Conventions',
828
+ 1077: 'Floating Point Comparison with Incorrect Operator',
829
+ 1078: 'Inappropriate Source Code Style or Formatting',
830
+ 1079: 'Parent Class without Virtual Destructor Method',
831
+ 1080: 'Source Code File with Excessive Number of Lines of Code',
832
+ 1082: 'Class Instance Self Destruction Control Element',
833
+ 1083: 'Data Access from Outside Expected Data Manager Component',
834
+ 1084: 'Invokable Control Element with Excessive File or Data Access '
835
+ 'Operations',
836
+ 1085: 'Invokable Control Element with Excessive Volume of Commented-out '
837
+ 'Code',
838
+ 1086: 'Class with Excessive Number of Child Classes',
839
+ 1087: 'Class with Virtual Method without a Virtual Destructor',
840
+ 1088: 'Synchronous Access of Remote Resource without Timeout',
841
+ 1089: 'Large Data Table with Excessive Number of Indices',
842
+ 1090: 'Method Containing Access of a Member Element from Another Class',
843
+ 1091: 'Use of Object without Invoking Destructor Method',
844
+ 1092: 'Use of Same Invokable Control Element in Multiple Architectural '
845
+ 'Layers',
846
+ 1093: 'Excessively Complex Data Representation',
847
+ 1094: 'Excessive Index Range Scan for a Data Resource',
848
+ 1095: 'Loop Condition Value Update within the Loop',
849
+ 1096: 'Singleton Class Instance Creation without Proper Locking or '
850
+ 'Synchronization',
851
+ 1097: 'Persistent Storable Data Element without Associated Comparison '
852
+ 'Control Element',
853
+ 1098: 'Data Element containing Pointer Item without Proper Copy Control '
854
+ 'Element',
855
+ 1099: 'Inconsistent Naming Conventions for Identifiers',
856
+ 1100: 'Insufficient Isolation of System-Dependent Functions',
857
+ 1101: 'Reliance on Runtime Component in Generated Code',
858
+ 1102: 'Reliance on Machine-Dependent Data Representation',
859
+ 1103: 'Use of Platform-Dependent Third Party Components',
860
+ 1104: 'Use of Unmaintained Third Party Components',
861
+ 1105: 'Insufficient Encapsulation of Machine-Dependent Functionality',
862
+ 1106: 'Insufficient Use of Symbolic Constants',
863
+ 1107: 'Insufficient Isolation of Symbolic Constant Definitions',
864
+ 1108: 'Excessive Reliance on Global Variables',
865
+ 1109: 'Use of Same Variable for Multiple Purposes',
866
+ 1110: 'Incomplete Design Documentation',
867
+ 1111: 'Incomplete I/O Documentation',
868
+ 1112: 'Incomplete Documentation of Program Execution',
869
+ 1113: 'Inappropriate Comment Style',
870
+ 1114: 'Inappropriate Whitespace Style',
871
+ 1115: 'Source Code Element without Standard Prologue',
872
+ 1116: 'Inaccurate Comments',
873
+ 1117: 'Callable with Insufficient Behavioral Summary',
874
+ 1118: 'Insufficient Documentation of Error Handling Techniques',
875
+ 1119: 'Excessive Use of Unconditional Branching',
876
+ 1120: 'Excessive Code Complexity',
877
+ 1121: 'Excessive McCabe Cyclomatic Complexity',
878
+ 1122: 'Excessive Halstead Complexity',
879
+ 1123: 'Excessive Use of Self-Modifying Code',
880
+ 1124: 'Excessively Deep Nesting',
881
+ 1125: 'Excessive Attack Surface',
882
+ 1126: 'Declaration of Variable with Unnecessarily Wide Scope',
883
+ 1127: 'Compilation with Insufficient Warnings or Errors',
884
+ 1164: 'Irrelevant Code',
885
+ 1173: 'Improper Use of Validation Framework',
886
+ 1174: 'ASP.NET Misconfiguration: Improper Model Validation',
887
+ 1176: 'Inefficient CPU Computation',
888
+ 1177: 'Use of Prohibited Code',
889
+ 1187: 'DEPRECATED: Use of Uninitialized Resource',
890
+ 1188: 'Insecure Default Initialization of Resource',
891
+ 1189: 'Improper Isolation of Shared Resources on System-on-a-Chip',
892
+ 1190: 'DMA Device Enabled Too Early in Boot Phase',
893
+ 1191: 'On-Chip Debug and Test Interface With Improper Access Control',
894
+ 1192: 'System-on-Chip',
895
+ 1193: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access '
896
+ 'Control',
897
+ 1204: 'Generation of Weak Initialization Vector',
898
+ 1209: 'Failure to Disable Reserved Bits',
899
+ 1220: 'Insufficient Granularity of Access Control',
900
+ 1221: 'Incorrect Register Defaults or Module Parameters',
901
+ 1222: 'Insufficient Granularity of Address Regions Protected by Register '
902
+ 'Locks',
903
+ 1223: 'Race Condition for Write-Once Attributes',
904
+ 1224: 'Improper Restriction of Write-Once Bit Fields',
905
+ 1229: 'Creation of Emergent Resource',
906
+ 1230: 'Exposure of Sensitive Information Through Metadata',
907
+ 1231: 'Improper Prevention of Lock Bit Modification',
908
+ 1232: 'Improper Lock Behavior After Power State Transition',
909
+ 1233: 'Security-Sensitive Hardware Controls with Missing Lock Bit '
910
+ 'Protection',
911
+ 1234: 'Hardware Internal or Debug Modes Allow Override of Locks',
912
+ 1235: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical '
913
+ 'Operations',
914
+ 1236: 'Improper Neutralization of Formula Elements in a CSV File',
915
+ 1239: 'Improper Zeroization of Hardware Register',
916
+ 1240: 'Use of a Cryptographic Primitive with a Risky Implementation',
917
+ 1241: 'Use of Predictable Algorithm in Random Number Generator',
918
+ 1242: 'Inclusion of Undocumented Features or Chicken Bits',
919
+ 1243: 'Sensitive Non-Volatile Information Not Protected During Debug',
920
+ 1244: 'Internal Asset Exposed to Unsafe Debug Access Level or State',
921
+ 1245: 'Improper Finite State Machines',
922
+ 1246: 'Improper Write Handling in Limited-write Non-Volatile Memories',
923
+ 1247: 'Improper Protection Against Voltage and Clock Glitches',
924
+ 1248: 'Semiconductor Defects in Hardware Logic with Security-Sensitive '
925
+ 'Implications',
926
+ 1249: 'Application-Level Admin Tool with Inconsistent View of Underlying '
927
+ 'Operating System',
928
+ 1250: 'Improper Preservation of Consistency Between Independent '
929
+ 'Representations of Shared State',
930
+ 1251: 'Mirrored Regions with Different Values',
931
+ 1252: 'CPU Hardware Not Configured to Support Exclusivity of Write and '
932
+ 'Execute Operations',
933
+ 1253: 'Incorrect Selection of Fuse Values',
934
+ 1254: 'Incorrect Comparison Logic Granularity',
935
+ 1255: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks',
936
+ 1256: 'Improper Restriction of Software Interfaces to Hardware Features',
937
+ 1257: 'Improper Access Control Applied to Mirrored or Aliased Memory '
938
+ 'Regions',
939
+ 1258: 'Exposure of Sensitive System Information Due to Uncleared Debug '
940
+ 'Information',
941
+ 1259: 'Improper Restriction of Security Token Assignment',
942
+ 1260: 'Improper Handling of Overlap Between Protected Memory Ranges',
943
+ 1261: 'Improper Handling of Single Event Upsets',
944
+ 1262: 'Improper Access Control for Register Interface',
945
+ 1263: 'Improper Physical Access Control',
946
+ 1264: 'Hardware Logic with Insecure De-Synchronization between Control and '
947
+ 'Data Channels',
948
+ 1265: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested '
949
+ 'Calls',
950
+ 1266: 'Improper Scrubbing of Sensitive Data from Decommissioned Device',
951
+ 1267: 'Policy Uses Obsolete Encoding',
952
+ 1268: 'Policy Privileges are not Assigned Consistently Between Control and '
953
+ 'Data Agents',
954
+ 1269: 'Product Released in Non-Release Configuration',
955
+ 1270: 'Generation of Incorrect Security Tokens',
956
+ 1271: 'Uninitialized Value on Reset for Registers Holding Security '
957
+ 'Settings',
958
+ 1272: 'Sensitive Information Uncleared Before Debug/Power State Transition',
959
+ 1273: 'Device Unlock Credential Sharing',
960
+ 1274: 'Improper Access Control for Volatile Memory Containing Boot Code',
961
+ 1275: 'Sensitive Cookie with Improper SameSite Attribute',
962
+ 1276: 'Hardware Child Block Incorrectly Connected to Parent System',
963
+ 1277: 'Firmware Not Updateable',
964
+ 1278: 'Missing Protection Against Hardware Reverse Engineering Using '
965
+ 'Integrated Circuit',
966
+ 1279: 'Cryptographic Operations are run Before Supporting Units are Ready',
967
+ 1280: 'Access Control Check Implemented After Asset is Accessed',
968
+ 1281: 'Sequence of Processor Instructions Leads to Unexpected Behavior',
969
+ 1282: 'Assumed-Immutable Data is Stored in Writable Memory',
970
+ 1283: 'Mutable Attestation or Measurement Reporting Data',
971
+ 1284: 'Improper Validation of Specified Quantity in Input',
972
+ 1285: 'Improper Validation of Specified Index, Position, or Offset in '
973
+ 'Input',
974
+ 1286: 'Improper Validation of Syntactic Correctness of Input',
975
+ 1287: 'Improper Validation of Specified Type of Input',
976
+ 1288: 'Improper Validation of Consistency within Input',
977
+ 1289: 'Improper Validation of Unsafe Equivalence in Input',
978
+ 1290: 'Incorrect Decoding of Security Identifiers ',
979
+ 1291: 'Public Key Re-Use for Signing both Debug and Production Code',
980
+ 1292: 'Incorrect Conversion of Security Identifiers',
981
+ 1293: 'Missing Source Correlation of Multiple Independent Data',
982
+ 1294: 'Insecure Security Identifier Mechanism',
983
+ 1295: 'Debug Messages Revealing Unnecessary Information',
984
+ 1296: 'Incorrect Chaining or Granularity of Debug Components',
985
+ 1297: 'Unprotected Confidential Information on Device is Accessible by '
986
+ 'OSAT Vendors',
987
+ 1298: 'Hardware Logic Contains Race Conditions',
988
+ 1299: 'Missing Protection Mechanism for Alternate Hardware Interface',
989
+ 1300: 'Improper Protection of Physical Side Channels',
990
+ 1301: 'Insufficient or Incomplete Data Removal within Hardware Component',
991
+ 1302: 'Missing Security Identifier',
992
+ 1303: 'Non-Transparent Sharing of Microarchitectural Resources',
993
+ 1304: 'Improperly Preserved Integrity of Hardware Configuration State '
994
+ 'During a Power Save/Restore Operation',
995
+ 1310: 'Missing Ability to Patch ROM Code',
996
+ 1311: 'Improper Translation of Security Attributes by Fabric Bridge',
997
+ 1312: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall',
998
+ 1313: 'Hardware Allows Activation of Test or Debug Logic at Runtime',
999
+ 1314: 'Missing Write Protection for Parametric Data Values',
1000
+ 1315: 'Improper Setting of Bus Controlling Capability in Fabric End-point',
1001
+ 1316: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of '
1002
+ 'Protected and Unprotected Ranges',
1003
+ 1317: 'Improper Access Control in Fabric Bridge',
1004
+ 1318: 'Missing Support for Security Features in On-chip Fabrics or Buses',
1005
+ 1319: 'Improper Protection against Electromagnetic Fault Injection',
1006
+ 1320: 'Improper Protection for Outbound Error Messages and Alert Signals',
1007
+ 1321: 'Improperly Controlled Modification of Object Prototype Attributes',
1008
+ 1322: 'Use of Blocking Code in Single-threaded, Non-blocking Context',
1009
+ 1323: 'Improper Management of Sensitive Trace Data',
1010
+ 1324: 'DEPRECATED: Sensitive Information Accessible by Physical Probing '
1011
+ 'of JTAG Interface',
1012
+ 1325: 'Improperly Controlled Sequential Memory Allocation',
1013
+ 1326: 'Missing Immutable Root of Trust in Hardware',
1014
+ 1327: 'Binding to an Unrestricted IP Address',
1015
+ 1328: 'Security Version Number Mutable to Older Versions',
1016
+ 1329: 'Reliance on Component That is Not Updateable',
1017
+ 1330: 'Remanent Data Readable after Memory Erase',
1018
+ 1331: 'Improper Isolation of Shared Resources in Network On Chip',
1019
+ 1332: 'Improper Handling of Faults that Lead to Instruction Skips',
1020
+ 1333: 'Inefficient Regular Expression Complexity',
1021
+ 1334: 'Unauthorized Error Injection Can Degrade Hardware Redundancy',
1022
+ 1335: 'Incorrect Bitwise Shift of Integer',
1023
+ 1336: 'Improper Neutralization of Special Elements Used in a Template '
1024
+ 'Engine',
1025
+ 1338: 'Improper Protections Against Hardware Overheating',
1026
+ 1339: 'Insufficient Precision or Accuracy of a Real Number',
1027
+ 1341: 'Multiple Releases of Same Resource or Handle',
1028
+ 1342: 'Information Exposure through Microarchitectural State after '
1029
+ 'Transient Execution',
1030
+ 1351: 'Improper Handling of Hardware Behavior in Exceptionally Cold '
1031
+ 'Environments',
1032
+ 1357: 'Reliance on Insufficiently Trustworthy Component',
1033
+ 1384: 'Improper Handling of Physical or Environmental Conditions',
1034
+ 1385: 'Missing Origin Validation in WebSockets',
1035
+ 1386: 'Insecure Operation on Windows Junction / Mount Point',
1036
+ 1389: 'Incorrect Parsing of Numbers with Different Radices',
1037
+ 1390: 'Weak Authentication',
1038
+ 1391: 'Use of Weak Credentials',
1039
+ 1392: 'Use of Default Credentials',
1040
+ 1393: 'Use of Default Password',
1041
+ 1394: 'Use of Default Cryptographic Key',
1042
+ 1395: 'Dependency on Vulnerable Third-Party Component'
1083
1043
  }
1084
1044
 
1085
1045
  TOML_TEMPLATE = {
@@ -1110,7 +1070,7 @@ TOML_TEMPLATE = {
1110
1070
  },
1111
1071
  }
1112
1072
 
1113
- ref_map = {
1073
+ REF_MAP = {
1114
1074
  r"(?P<org>[^\s./]+).(?:com|org)/(?:[\S]+)?/(?P<id>("
1115
1075
  r"?:ghsa|ntap|rhsa|rhba|zdi|dsa|cisco|intel)-?[\w\d\-:]+)": "Advisory",
1116
1076
  r"cve-[0-9]{4,}-[0-9]{4,}$": "CVE Record",
@@ -1141,226 +1101,246 @@ ref_map = {
1141
1101
  r"bitbucket.org/[^\s/]+/[^\s/]+/wiki/": "Bitbucket Wiki Entry",
1142
1102
  r"https://vuldb.com/\?id.\d+": "VulDB Entry",
1143
1103
  }
1144
- sorted_ref_map = dict(
1145
- sorted(ref_map.items(), key=lambda x: len(x[0]), reverse=True)
1104
+ SORTED_REF_MAP = dict(
1105
+ sorted(REF_MAP.items(), key=lambda x: len(x[0]), reverse=True)
1146
1106
  )
1147
1107
 
1148
- compiled_patterns = {
1108
+ COMPILED_REF_PATTERNS = {
1149
1109
  re.compile(pattern, re.IGNORECASE): value
1150
- for pattern, value in sorted_ref_map.items()
1110
+ for pattern, value in SORTED_REF_MAP.items()
1151
1111
  }
1152
1112
 
1113
+ ISSUES_REGEX = re.compile(
1114
+ r"(?P<host>github|bitbucket|chromium)(?:.com|.org)/(?P<owner>["
1115
+ r"\w\-.]+)/(?P<repo>[\w\-.]+)/issues/(?:detail\?id=)?(?P<id>\d+)",
1116
+ re.IGNORECASE,
1117
+ )
1118
+ ADVISORY_REGEX = re.compile(
1119
+ r"(?P<org>[^\s/.]+).(?:com|org)/(?:\S+/)*/?(?P<id>[\w\-:]+)",
1120
+ re.IGNORECASE,
1121
+ )
1122
+ BUGZILLA_REGEX = re.compile(
1123
+ r"(?<=bugzilla.)(?P<owner>\S+)\.\w{3}/show_bug.cgi\?id=(?P<id>\S+)",
1124
+ re.IGNORECASE,
1125
+ )
1126
+ USN_REGEX = re.compile(
1127
+ r"(?<=usn.ubuntu.com/)[\d\-]+|(?<=ubuntu.com/security/notices/USN-)"
1128
+ r"[\d\-]+",
1129
+ re.IGNORECASE,
1130
+ )
1153
1131
 
1154
- class CsafOccurence:
1155
- def __init__(self, res):
1156
- self.cve = res["id"]
1157
- [self.cwe, self.notes] = parse_cwe(res["problem_type"])
1158
- self.score = res["cvss_score"]
1159
- self.cvss_v3 = parse_cvss(res)
1160
- self.package_issue = res["package_issue"]
1161
- [
1162
- self.pkg,
1163
- self.product_status,
1164
- self.vrange,
1165
- self.search_string,
1166
- ] = get_product_status(res["package_issue"], res["matched_by"])
1167
- self.description = (
1168
- res["short_description"]
1169
- .replace("\\n", " ")
1170
- .replace("\\t", " ")
1171
- .replace("\n", " ")
1172
- .replace("\t", " ")
1173
- )
1174
- self.references = res["related_urls"]
1175
- self.type = (res["type"],)
1176
- self.severity = (
1177
- res["severity"] if (
1178
- res["severity"] in ["CRITICAL", "HIGH", "MEDIUM", "LOW", "NONE"]) else (
1179
- "UNKNOWN")
1180
- )
1181
- self.orig_date = res["source_orig_time"] or None
1182
- self.update_date = res["source_update_time"] or None
1183
-
1184
- def to_dict(self):
1185
- vuln = {}
1186
- if self.cve.startswith("CVE"):
1187
- vuln["cve"] = self.cve
1188
- vuln["cwe"] = self.cwe
1189
- vuln["discovery_date"] = str(self.orig_date) or str(self.update_date)
1190
- vuln["product_status"] = self.product_status
1191
- [ids, vuln["references"]] = format_references(self.references)
1192
- vuln["ids"] = ids
1193
- if self.cvss_v3:
1194
- vuln["scores"] = [{"cvss_v3": self.cvss_v3, "products": [self.pkg]}]
1195
- self.notes.append(
1196
- {
1197
- "category": "general",
1198
- "text": self.description,
1199
- "details": "Vulnerability Description",
1200
- }
1201
- )
1202
- vuln["notes"] = self.notes
1203
- return vuln
1204
1132
 
1133
+ def vdr_to_csaf(res):
1134
+ """
1135
+ Processes a vulnerability from the VDR format to CSAF format.
1136
+
1137
+ :param res: The metadata for a single vulnerability.
1138
+ :type res: dict
1205
1139
 
1206
- def get_product_status(issue, matched_by):
1140
+ :return: The processed vulnerability in CSAF format.
1141
+ :rtype: dict
1207
1142
  """
1208
- Generates the product status based on the given response and package.
1143
+ cve = res.get("id", "")
1144
+ acknowledgements = get_acknowledgements(res.get("source", {}))
1145
+ [products, product_status] = get_products(
1146
+ res.get("affects", []), res.get("properties", [])
1147
+ )
1148
+ cwe, notes = parse_cwe(res.get("cwes", []))
1149
+ cvss_v3 = parse_cvss(res.get("ratings", [{}]))
1150
+ description = (
1151
+ res.get("description", "")
1152
+ .replace("\n", " ")
1153
+ .replace("\t", " ")
1154
+ .replace("\n", " ")
1155
+ .replace("\t", " ")
1156
+ )
1157
+ ids, references = format_references(res.get("advisories", []))
1158
+ orig_date = res.get("published")
1159
+ update_date = res.get("updated")
1160
+ discovery_date = orig_date or update_date
1161
+ vuln = {}
1162
+ if cve.startswith("CVE"):
1163
+ vuln["cve"] = cve
1164
+ vuln["cwe"] = cwe
1165
+ vuln["acknowledgements"] = acknowledgements
1166
+ vuln["discovery_date"] = str(discovery_date) if discovery_date else None
1167
+ vuln["product_status"] = product_status
1168
+ vuln["references"] = references
1169
+ vuln["ids"] = ids
1170
+ vuln["scores"] = [{"cvss_v3": cvss_v3, "products": products}]
1171
+ notes.append(
1172
+ {
1173
+ "category": "general",
1174
+ "text": description,
1175
+ "details": "Vulnerability Description",
1176
+ }
1177
+ )
1178
+ vuln["notes"] = notes
1179
+
1180
+ return vuln
1209
1181
 
1210
- Args:
1211
- issue (dict): The response dictionary of information about the product.
1212
- matched_by (str): The location data
1213
1182
 
1214
- Returns: dict: A dictionary containing the product status. The keys
1215
- represent different statuses, while the values represent the corresponding
1216
- locations. If the product has a fixed location, the key "fixed" will be
1217
- present with the fixed location as its value. If the product has an affected
1218
- location, the key "known_affected" will be present with the affected
1219
- location as its value.
1183
+ def get_products(affects, props):
1184
+ """
1185
+ Generates a list of unique products and a dictionary of version statuses for
1186
+ the vulnerability.
1187
+
1188
+ :param affects: Affected and fixed versions with associated purls
1189
+ :type affects: list[dict]
1190
+ :param props: List of properties
1191
+ :type props: list[dict]
1220
1192
 
1193
+ :return: Packages affected by the vulnerability and their statuses
1194
+ :rtype: tuple[list[str], dict[str, str]]
1221
1195
  """
1222
- product_status = {}
1223
- pkg = matched_by.split("|")
1224
- version_range = None
1225
- search_string = None
1226
- if len(pkg) == 3:
1227
- pkg = matched_by.split("|")[1]
1228
- search_string = pkg
1229
- elif len(pkg) == 4:
1230
- pkg = matched_by.split("|")[2]
1231
- search_string = f"{matched_by.split('|')[1]}/{pkg}"
1232
- if issue.get("fixed_location"):
1233
- product_status["fixed"] = [f"{pkg}:{issue.get('fixed_location')}"]
1234
- if issue.get("affected_location"):
1196
+ if not affects and not props:
1197
+ return [], {}
1198
+
1199
+ known_affected = []
1200
+ fixed = []
1201
+ products = set()
1202
+ for i in affects:
1203
+ for v in i.get("versions", []):
1204
+ purl = None
1205
+ try:
1206
+ purl = PackageURL.from_string(i.get("ref", ""))
1207
+ namespace = purl.namespace
1208
+ pkg_name = purl.name
1209
+ version = purl.version
1210
+ except ValueError:
1211
+ purl = i.get("ref", "")
1212
+ namespace = None
1213
+ pkg_name = i.get("ref", "")
1214
+ version = None
1215
+ if purl and v.get("status") == "affected":
1216
+ known_affected.append(
1217
+ f'{namespace}/{pkg_name}@{version}')
1218
+ elif purl and v.get("status") == "unaffected":
1219
+ fixed.append(f'{namespace}/{pkg_name}@{v.get("version")}')
1220
+ elif not purl and v.get("status") == "affected":
1221
+ known_affected.append(i.get("ref"))
1222
+ product = ''
1235
1223
  try:
1236
- loc_dict = issue.get("affected_location")
1237
- version_range = loc_dict.get("version")
1238
- product_status["known_affected"] = [
1239
- f'{loc_dict.get("package")}:{version_range}'
1240
- ]
1241
- except json.JSONDecodeError:
1242
- logging.warning("Invalid JSON string for affected_location")
1243
- return pkg, product_status, version_range, search_string
1224
+ purl = PackageURL.from_string(i.get("ref", ""))
1225
+ if purl.namespace:
1226
+ product += f'{purl.namespace}/'
1227
+ product += f'{purl.name}@{purl.version}'
1228
+ except ValueError:
1229
+ product = i.get("ref", "")
1230
+ products.add(product)
1231
+
1232
+ if version_range := [
1233
+ {i["name"]: i["value"]}
1234
+ for i in props
1235
+ if i["name"] == "affectedVersionRange"
1236
+ ]:
1237
+ for v in version_range:
1238
+ products.add(v["affectedVersionRange"])
1239
+ known_affected.append(v["affectedVersionRange"])
1240
+
1241
+ known_affected = [
1242
+ i.replace("None/", "").replace("@None", "")
1243
+ for i in known_affected
1244
+ ]
1245
+ fixed = [
1246
+ i.replace("None/", "").replace("@None", "") for i in fixed
1247
+ ]
1248
+
1249
+ return list(products), {"known_affected": known_affected, "fixed": fixed}
1250
+
1251
+
1252
+ def get_acknowledgements(source):
1253
+ """
1254
+ Generates the acknowledgements from the source data information
1255
+ :param source: A dictionary with the source information
1256
+ :type source: dict
1257
+
1258
+ :return: A dictionary containing the acknowledgements
1259
+ :rtype: dict
1260
+ """
1261
+ if not source.get("name"):
1262
+ return {}
1263
+
1264
+ return {
1265
+ "organization": source["name"],
1266
+ "urls": [source.get("url")]
1267
+ }
1244
1268
 
1245
1269
 
1246
1270
  def parse_cwe(cwe):
1271
+ """
1272
+ Takes a list of CWE numbers and returns a single CSAF CWE entry, with any
1273
+ additional CWEs returned in notes (CSAF 2.0 only allows one CWE).
1274
+
1275
+ :param cwe: A list of CWE numbers
1276
+ :type cwe: list
1277
+
1278
+ :return: A single CSAF CWE entry (dict) and notes (list)
1279
+ :rtype: tuple
1280
+ """
1247
1281
  fmt_cwe = None
1248
1282
  new_notes = []
1249
1283
 
1250
- if not cwe or cwe in ["UNKNOWN", [], "[]"]:
1284
+ if not cwe:
1251
1285
  return fmt_cwe, new_notes
1252
1286
 
1253
- cwe_ids = re.findall(r"CWE-[1-9]\d{0,5}", cwe)
1254
- for i, cweid in enumerate(cwe_ids):
1255
- cwe_name = CWE_MAP.get(cweid, "UNABLE TO LOCATE CWE NAME")
1287
+ for i, cwe_id in enumerate(cwe):
1288
+ cwe_name = CWE_MAP.get(cwe_id, "UNABLE TO LOCATE CWE NAME")
1256
1289
  if not cwe_name:
1257
1290
  LOG.warning(
1258
1291
  "We couldn't locate the name of the CWE with the following "
1259
1292
  "id: %s. Help us out by reporting the id at "
1260
- "https://github.com/owasp-dep-scan/dep-scan/issues.",
1261
- cweid,
1262
- )
1293
+ "https://github.com/owasp-dep-scan/dep-scan/issues.", i, )
1263
1294
  if i == 0:
1264
- fmt_cwe = {
1265
- "id": cweid,
1266
- "name": cwe_name,
1267
- }
1268
- # CSAF 2.0 only allows a single CWE per vulnerability, so we add
1269
- # any additional CWEs to a note entry.
1295
+ fmt_cwe = {"id": str(cwe_id), "name": cwe_name, }
1270
1296
  else:
1271
1297
  new_notes.append(
1272
- {
1273
- "title": f"Additional CWE: {cweid}",
1274
- "audience": "developers",
1275
- "category": "other",
1276
- "text": cwe_name,
1277
- }
1278
- )
1298
+ {"title": f"Additional CWE: {cwe_id}", "audience": "developers",
1299
+ "category": "other", "text": cwe_name, })
1279
1300
 
1280
1301
  return fmt_cwe, new_notes
1281
1302
 
1282
1303
 
1283
- def parse_cvss(res):
1304
+ def parse_cvss(ratings):
1284
1305
  """
1285
- Parses the CVSS information from the given response.
1286
-
1287
- Parameters:
1288
- res (dict): The response containing the CVSS information.
1289
-
1290
- Returns:
1291
- dict or None: The parsed CVSS information as a dictionary, or None if
1292
- the CVSS vector string is empty as it is required for cvss v3.
1293
- The dictionary contains the following keys:
1294
- - baseScore (float): The base score of the CVSS.
1295
- - attackVector (str): The attack vector of the CVSS.
1296
- - privilegesRequired (str): Privileges required for the CVSS.
1297
- - userInteraction (str): User interaction required for the CVSS.
1298
- - scope (str): The scope of the CVSS.
1299
- - impactScore (str): The impact score of the CVSS.
1300
- - baseSeverity (str): The base severity of the CVSS.
1301
- - version (str): The version of the CVSS.
1302
- - vectorString (str): The vector string of the CVSS.
1303
- If the vector string or base score are missing, or the CVSS
1304
- version is not 3.0 or 3.1, None is returned.
1306
+ Parses the CVSS information from pkg_vulnerabilities
1307
+
1308
+ :param ratings: The ratings data
1309
+ :type ratings: list[dict]
1310
+
1311
+ :return: The parsed CVSS information as a single dictionary
1312
+ :rtype: dict
1305
1313
  """
1314
+ if not ratings or not (vector_string := ratings[0].get("vector")):
1315
+ return {}
1316
+ try:
1317
+ cvss_v3 = cvss.CVSS3(vector_string)
1318
+ cvss_v3.check_mandatory()
1319
+ except [CVSSError, ValueError]:
1320
+ return {}
1306
1321
 
1307
- # baseScore, baseSeverity, vectorString, and version are required
1308
- cvss_v3 = res.get("cvss_v3")
1309
- if (
1310
- not cvss_v3
1311
- or not (vector_string := cvss_v3.get("vector_string"))
1312
- or not (version := re.findall(r"3.0|3.1",
1313
- cvss_v3.get("vector_string", "")))
1314
- or not (base_score := cvss_v3.get("base_score"))
1315
- or (severity := res.get("severity")) not in
1316
- ["CRITICAL", "HIGH", "MEDIUM", "LOW", "NONE"]
1317
- ):
1318
- return None
1319
- version = version[0]
1320
- cvss_v3_data = {
1321
- "baseScore": base_score,
1322
- "baseSeverity": severity,
1323
- "attackVector": cvss_v3.get("attack_vector"),
1324
- "privilegesRequired": cvss_v3.get("privileges_required"),
1325
- "userInteraction": cvss_v3.get("user_interaction"),
1326
- "scope": cvss_v3.get("scope"),
1327
- "version": version,
1328
- "vectorString": vector_string,
1329
- }
1322
+ cvss_v3_dict = cvss_v3.as_json()
1323
+
1324
+ cvss_v3 = {k: v for k, v in cvss_v3_dict.items() if v != "NOT_DEFINED"}
1330
1325
 
1331
- return cvss_v3_data
1326
+ return cleanup_dict(cvss_v3)
1332
1327
 
1333
1328
 
1334
- def format_references(ref):
1329
+ def format_references(advisories):
1335
1330
  """
1336
- Formats the given references.
1331
+ Formats the advisories as references.
1337
1332
 
1338
- Args:
1339
- ref (list): A list of references.
1333
+ :param advisories: List of dictionaries of advisories online
1334
+ :type advisories: list
1340
1335
 
1341
- Returns:
1342
- list: A list of dictionaries with the formatted references.
1336
+ :return: A list of dictionaries with the formatted references.
1337
+ :rtype: list
1343
1338
  """
1339
+ if not advisories:
1340
+ return [], []
1341
+ ref = [i["url"] for i in advisories]
1344
1342
  fmt_refs = [{"summary": get_ref_summary(r), "url": r} for r in ref]
1345
1343
  ids = []
1346
- issues_regex = re.compile(
1347
- r"(?P<host>github|bitbucket|chromium)(?:.com|.org)/(?P<owner>["
1348
- r"\w\-.]+)/(?P<repo>[\w\-.]+)/issues/(?:detail\?id=)?(?P<id>\d+)",
1349
- re.IGNORECASE,
1350
- )
1351
- advisory_regex = re.compile(
1352
- r"(?P<org>[^\s/.]+).(?:com|org)/(?:\S+/)*/?(?P<id>[\w\-:]+)",
1353
- re.IGNORECASE,
1354
- )
1355
- bugzilla_regex = re.compile(
1356
- r"(?<=bugzilla.)(?P<owner>\S+)\.\w{3}/show_bug.cgi\?id=(?P<id>" r"\S+)",
1357
- re.IGNORECASE,
1358
- )
1359
- usn_regex = re.compile(
1360
- r"(?<=usn.ubuntu.com/)[\d\-]+|(?<=ubuntu.com/security/notices/USN-)["
1361
- r"\d\-]+",
1362
- re.IGNORECASE,
1363
- )
1364
1344
  id_types = ["Advisory", "Issue", "Ubuntu Security Notice", "Bugzilla"]
1365
1345
  parse = [i for i in fmt_refs if i.get("summary") in id_types]
1366
1346
  refs = [i for i in fmt_refs if i.get("summary") not in id_types]
@@ -1369,7 +1349,7 @@ def format_references(ref):
1369
1349
  summary = reference["summary"]
1370
1350
  if summary == "Advisory":
1371
1351
  url = url.replace("glsa/", "glsa-")
1372
- if adv := re.search(advisory_regex, url):
1352
+ if adv := re.search(ADVISORY_REGEX, url):
1373
1353
  system_name = (
1374
1354
  (adv["org"].capitalize() + " Advisory")
1375
1355
  .replace("Redhat", "Red Hat")
@@ -1379,7 +1359,7 @@ def format_references(ref):
1379
1359
  )
1380
1360
  ids.append({"system_name": system_name, "text": adv["id"]})
1381
1361
  summary = system_name
1382
- elif issue := re.search(issues_regex, url):
1362
+ elif issue := re.search(ISSUES_REGEX, url):
1383
1363
  summary = (
1384
1364
  issue["host"].capitalize().replace("Github", "GitHub")
1385
1365
  + " Issue"
@@ -1395,14 +1375,14 @@ def format_references(ref):
1395
1375
  "text": issue["id"],
1396
1376
  }
1397
1377
  )
1398
- elif bugzilla := re.search(bugzilla_regex, url):
1378
+ elif bugzilla := re.search(BUGZILLA_REGEX, url):
1399
1379
  system_name = f"{bugzilla['owner'].capitalize()} Bugzilla"
1400
1380
  system_name = system_name.replace("Redhat", "Red Hat")
1401
1381
  ids.append(
1402
1382
  {"system_name": f"{system_name} ID", "text": bugzilla["id"]}
1403
1383
  )
1404
1384
  summary = system_name
1405
- elif usn := re.search(usn_regex, url):
1385
+ elif usn := re.search(USN_REGEX, url):
1406
1386
  ids.append({"system_name": summary, "text": f"USN-{usn[0]}"})
1407
1387
  refs.append({"summary": summary, "url": url})
1408
1388
  new_ids = {(idx["system_name"], idx["text"]) for idx in ids}
@@ -1415,20 +1395,21 @@ def get_ref_summary(url):
1415
1395
  """
1416
1396
  Returns the summary string associated with a given URL.
1417
1397
 
1418
- Parameters:
1419
- url (str): The URL to match against the patterns in the REF_MAP.
1398
+ :param url: The URL to match against the patterns in the REF_MAP.
1399
+ :type url: str
1420
1400
 
1421
- Returns:
1422
- str: The summary string corresponding to the matched pattern in REF_MAP.
1423
- If no match is found, an exception is raised.
1401
+ :return: The summary string corresponding to the matched pattern in REF_MAP.
1402
+ :rtype: str
1403
+
1404
+ :raises: TypeError if url is not a string
1424
1405
  """
1425
- if type(url) is not str:
1406
+ if not isinstance(url, str):
1426
1407
  raise TypeError("url must be a string")
1427
1408
 
1428
1409
  return next(
1429
1410
  (
1430
1411
  value
1431
- for pattern, value in compiled_patterns.items()
1412
+ for pattern, value in COMPILED_REF_PATTERNS.items()
1432
1413
  if pattern.search(url)
1433
1414
  ),
1434
1415
  "Other",
@@ -1437,13 +1418,13 @@ def get_ref_summary(url):
1437
1418
 
1438
1419
  def parse_revision_history(tracking):
1439
1420
  """
1440
- Parses the revision history of a tracking object.
1421
+ Parses the revision history from the tracking data.
1441
1422
 
1442
- Args:
1443
- tracking (dict): The tracking object containing the revision history.
1423
+ :param tracking: The tracking object containing the revision history
1424
+ :type tracking: dict
1444
1425
 
1445
- Returns:
1446
- dict: The updated tracking object with the parsed revision history.
1426
+ :return: The updated tracking object
1427
+ :rtype: dict
1447
1428
  """
1448
1429
  hx = deepcopy(tracking.get("revision_history")) or []
1449
1430
  if not hx and (tracking.get("version")) != "1":
@@ -1534,11 +1515,11 @@ def import_product_tree(tree):
1534
1515
  """
1535
1516
  Set the product tree by loading it from a file.
1536
1517
 
1537
- Parameters:
1538
- tree (dict): The dictionary representing the tree.
1518
+ :param tree: The dictionary representing the tree.
1519
+ :type tree: dict
1539
1520
 
1540
- Returns:
1541
- dict: The product tree loaded from the file, or None if file is empty.
1521
+ :return: The product tree loaded from the file, or None if file is empty.
1522
+ :rtype: dict or None
1542
1523
  """
1543
1524
  product_tree = None
1544
1525
  if len(tree["easy_import"]) > 0:
@@ -1563,25 +1544,15 @@ def import_product_tree(tree):
1563
1544
 
1564
1545
  def parse_toml(metadata):
1565
1546
  """
1566
- Parses the given metadata in TOML format and generates an output dictionary.
1567
-
1568
- Args:
1569
- metadata (dict): A dictionary containing the metadata in TOML format.
1547
+ Parses the given metadata from csaf.toml and generates an output dictionary.
1570
1548
 
1571
- Returns:
1572
- dict: The generated output dictionary.
1549
+ :param metadata: The data read from csaf.toml
1573
1550
 
1574
- Raises:
1575
- Exception: If the 'product_tree' entry is missing in the TOML file.
1576
- Exception: If the 'initial_release_date' is later than the
1577
- 'current_release_date'.
1551
+ :return: The processed metadata ready to use in the CSAF document.
1578
1552
  """
1579
1553
  tracking = parse_revision_history(metadata.get("tracking"))
1580
- # FIXME: Could this be simplified as list comprehension without append
1581
- refs = []
1582
- [refs.append(v) for v in metadata.get("reference")]
1583
- notes = []
1584
- [notes.append(v) for v in metadata.get("note")]
1554
+ refs = list(metadata.get("reference"))
1555
+ notes = list(metadata.get("note"))
1585
1556
  product_tree = import_product_tree(metadata["product_tree"])
1586
1557
  return {
1587
1558
  "document": {
@@ -1610,41 +1581,26 @@ def toml_compatibility(metadata):
1610
1581
  """
1611
1582
  Applies any changes to the formatting of the TOML after a depscan
1612
1583
  minor or patch update
1613
- """
1614
- # Removed compatibility for 5.0.0 release
1615
1584
 
1616
- # The 4.3.0 TOML referenced revision_history as revision
1617
- # if metadata["depscan_version"] < "4.3.1":
1618
- # metadata["tracking"]["revision_history"] = metadata["tracking"].get(
1619
- # "revision"
1620
- # )
1621
- # if metadata["tracking"].get("revision"):
1622
- # del metadata["tracking"]["revision"]
1585
+ :param metadata: The toml data
1586
+ """
1623
1587
 
1624
1588
  return metadata
1625
1589
 
1626
1590
 
1627
- def export_csaf(
1628
- results,
1629
- src_dir,
1630
- reports_dir,
1631
- vdr_file,
1632
- direct_purls,
1633
- reached_purls,
1634
- ):
1591
+ def export_csaf(pkg_vulnerabilities, src_dir, reports_dir, bom_file):
1635
1592
  """
1636
- Generates a CSAF JSON template from the given results.
1637
-
1638
- Parameters:
1639
- results (list): Raw results from scan
1640
- src_dir (str): The source directory.
1641
- reports_dir (str): The reports directory.
1642
- vdr_file (str): The BOM file path
1643
- direct_purls (dict): Package URLs with direct usages
1644
- reached_purls (dict): Package URLs with reachable flows
1645
-
1646
- Returns:
1647
- None
1593
+ Generates a CSAF 2.0 JSON document from the results.
1594
+
1595
+ :param pkg_vulnerabilities: List of vulnerabilities
1596
+ :type pkg_vulnerabilities: list
1597
+ :param src_dir: The source directory.
1598
+ :type src_dir: str
1599
+ :param reports_dir: The reports directory.
1600
+ :type reports_dir: str
1601
+ :param bom_file: The BOM file path
1602
+ :type bom_file: str
1603
+
1648
1604
  """
1649
1605
  toml_file_path = os.getenv(
1650
1606
  "DEPSCAN_CSAF_TEMPLATE", os.path.join(src_dir, "csaf.toml")
@@ -1652,33 +1608,34 @@ def export_csaf(
1652
1608
  metadata = import_csaf_toml(toml_file_path)
1653
1609
  metadata = toml_compatibility(metadata)
1654
1610
  template = parse_toml(metadata)
1655
- new_results = add_vulnerabilities(
1656
- template, results, direct_purls, reached_purls
1657
- )
1611
+ new_results = add_vulnerabilities(template, pkg_vulnerabilities)
1658
1612
  new_results = cleanup_dict(new_results)
1659
1613
  [new_results, metadata] = verify_components_present(
1660
- new_results, metadata, vdr_file
1614
+ new_results, metadata, bom_file
1661
1615
  )
1662
1616
 
1663
1617
  outfile = os.path.join(
1664
1618
  reports_dir,
1665
1619
  f"csaf_v{new_results['document']['tracking']['version']}.json",
1666
1620
  )
1667
- json.dump(new_results, open(outfile, "w", encoding="utf-8"), indent=4)
1621
+
1622
+ with open(outfile, "w", encoding="utf-8") as f:
1623
+ json.dump(new_results, f, indent=4, sort_keys=True)
1668
1624
  LOG.info("CSAF report written to %s", outfile)
1669
1625
  write_toml(toml_file_path, metadata)
1670
1626
 
1671
1627
 
1672
1628
  def import_csaf_toml(toml_file_path):
1673
1629
  """
1674
- Reads the contents of the "csaf.toml" file, parses it as TOML, and converts
1675
- it to JSON format.
1630
+ Reads the csaf.toml file and returns it as a dictionary.
1676
1631
 
1677
- Returns:
1678
- dict: A dictionary containing the parsed contents of the csaf.toml
1632
+ :param toml_file_path: The path to the csaf.toml file.
1633
+ :type toml_file_path: str
1679
1634
 
1680
- Raises:
1681
- TOMLDecodeError: If the TOML file contains duplicate keys or is invalid.
1635
+ :return: A dictionary containing the parsed contents of the csaf.toml.
1636
+ :rtype: dict
1637
+
1638
+ :raises TOMLDecodeError: If the TOML is invalid.
1682
1639
  """
1683
1640
  try:
1684
1641
  with open(toml_file_path, "r", encoding="utf-8") as f:
@@ -1690,7 +1647,7 @@ def import_csaf_toml(toml_file_path):
1690
1647
  "duplicate keys and that any filepaths are properly escaped"
1691
1648
  "if using Windows."
1692
1649
  )
1693
- exit(1)
1650
+ sys.exit(1)
1694
1651
  except FileNotFoundError:
1695
1652
  write_toml(toml_file_path)
1696
1653
  return import_csaf_toml(toml_file_path)
@@ -1700,13 +1657,13 @@ def import_csaf_toml(toml_file_path):
1700
1657
 
1701
1658
  def write_toml(toml_file_path, metadata=None):
1702
1659
  """
1703
- Retrieves the TOML template file from the given URL and saves it to the
1704
- specified file name.
1705
-
1706
- Parameters:
1707
- toml_file_path (str): The filepath to save the TOML template to.
1660
+ Writes the toml data out to file. If no toml data is provided, a toml is
1661
+ generated based on the default template.
1708
1662
 
1709
- metadata (dict): A dictionary containing the TOML metadata.
1663
+ :param toml_file_path: The filepath to save the TOML template to.
1664
+ :type toml_file_path: str
1665
+ :param metadata: A dictionary containing the TOML metadata.
1666
+ :type metadata: dict
1710
1667
 
1711
1668
  """
1712
1669
  if not metadata:
@@ -1714,19 +1671,16 @@ def write_toml(toml_file_path, metadata=None):
1714
1671
  metadata["depscan_version"] = get_version()
1715
1672
  with open(toml_file_path, "w", encoding="utf-8") as f:
1716
1673
  toml.dump(metadata, f)
1717
- LOG.info("The csaf.toml has been updated at %s", toml_file_path)
1674
+ LOG.debug("The csaf.toml has been updated at %s", toml_file_path)
1718
1675
 
1719
1676
 
1720
1677
  def cleanup_list(d):
1721
1678
  """
1722
- Generate a function comment for the given function body in a markdown code
1723
- block with the correct language syntax.
1679
+ Cleans up a list by removing empty or None values recursively.
1724
1680
 
1725
- Args:
1726
- d (list): A list of dictionaries and strings.
1681
+ :param d: The list to be cleaned up.
1727
1682
 
1728
- Returns:
1729
- list: A new list containing cleaned up entries from the input list.
1683
+ :return: The new list or None
1730
1684
  """
1731
1685
  new_lst = []
1732
1686
  for dl in d:
@@ -1742,12 +1696,9 @@ def cleanup_dict(d):
1742
1696
  """
1743
1697
  Cleans up a dictionary by removing empty or None values recursively.
1744
1698
 
1745
- Parameters:
1746
- - d (dict): The dictionary to be cleaned up.
1699
+ :param d: The dictionary to be cleaned up.
1747
1700
 
1748
- Returns:
1749
- - dict or None: The cleaned up dictionary. If the resulting dictionary is
1750
- empty, returns None.
1701
+ :return: The new dictionary or None
1751
1702
  """
1752
1703
  new_dict = {}
1753
1704
  for key, value in d.items():
@@ -1764,11 +1715,18 @@ def cleanup_dict(d):
1764
1715
  return new_dict
1765
1716
 
1766
1717
 
1767
- def import_root_component(vdr_file):
1718
+ def import_root_component(bom_file):
1768
1719
  """
1769
- Imports the root component from the given bom file into the csaf
1720
+ Import the root component from the VDR file if no product tree is present
1721
+ and gene external references.
1722
+
1723
+ :param bom_file: The path to the VDR file.
1724
+ :type bom_file: str
1725
+
1726
+ :returns: The product tree (dict) and additional references (list of dicts).
1727
+ :rtype: tuple
1770
1728
  """
1771
- with open(vdr_file, "r", encoding="utf-8") as f:
1729
+ with open(bom_file, "r", encoding="utf-8") as f:
1772
1730
  bom = json.load(f)
1773
1731
 
1774
1732
  refs = []
@@ -1796,31 +1754,29 @@ def import_root_component(vdr_file):
1796
1754
  for r in external_references
1797
1755
  )
1798
1756
  if product_tree:
1799
- LOG.info("Successfully imported root component into the product tree.")
1757
+ LOG.debug("Successfully imported root component into the product tree.")
1800
1758
  else:
1801
- LOG.info(
1802
- "Unable to import root component for product tree, "
1803
- "so product tree will not be included."
1759
+ LOG.debug(
1760
+ "Unable to import root component for product tree, so product "
1761
+ "tree will not be included."
1804
1762
  )
1805
1763
 
1806
1764
  return product_tree, refs
1807
1765
 
1808
1766
 
1809
- def verify_components_present(data, metadata, vdr_file):
1767
+ def verify_components_present(data, metadata, bom_file):
1810
1768
  """
1811
- Verify if the required components are present in the given data, metadata,
1812
- and vdr_file.
1813
-
1814
- Args:
1815
- data (dict): The data dictionary - this is the dictionary
1816
- representing the csaf document itself.
1817
- metadata (dict): The metadata dictionary - this stores the data that
1818
- will be written back out to the csaf.toml.
1819
- vdr_file (str): The path to the vdr_file.
1820
-
1821
- Returns:
1822
- tuple: A tuple containing the modified template dictionary and the
1823
- modified new_metadata dictionary.
1769
+ Verify if the required components are present
1770
+
1771
+ :param data: The dictionary representing the csaf document itself.
1772
+ :type data: dict
1773
+ :param metadata: The dictionary that will be written back to the csaf.toml.
1774
+ :type metadata: dict
1775
+ :param bom_file: The path to the vdr_file.
1776
+ :type bom_file: str
1777
+
1778
+ :return: The modified template and metadata dictionaries.
1779
+ :rtype: tuple
1824
1780
  """
1825
1781
  template = deepcopy(data)
1826
1782
  new_metadata = deepcopy(metadata)
@@ -1841,7 +1797,7 @@ def verify_components_present(data, metadata, vdr_file):
1841
1797
 
1842
1798
  # Add product tree if not present
1843
1799
  if not template.get("product_tree"):
1844
- [template["product_tree"], extra_ref] = import_root_component(vdr_file)
1800
+ [template["product_tree"], extra_ref] = import_root_component(bom_file)
1845
1801
  if extra_ref and template["document"].get("references"):
1846
1802
  template["document"]["references"] += extra_ref
1847
1803
  elif extra_ref:
@@ -1856,28 +1812,26 @@ def verify_components_present(data, metadata, vdr_file):
1856
1812
 
1857
1813
  # Reset the id if it's one we've generated
1858
1814
  if re.match(
1859
- r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}_v",
1860
- new_metadata["tracking"]["id"]
1815
+ r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}_v", new_metadata["tracking"]["id"]
1861
1816
  ):
1862
1817
  new_metadata["tracking"]["id"] = ""
1863
1818
 
1864
1819
  return template, new_metadata
1865
1820
 
1866
1821
 
1867
- def add_vulnerabilities(data, results, direct_purls, reached_purls):
1822
+ def add_vulnerabilities(template, pkg_vulnerabilities):
1868
1823
  """
1869
1824
  Add vulnerabilities to the given data.
1870
1825
 
1871
- Parameters:
1872
- - data: The CSAF data so far.
1873
- - results: A list of results containing vulnerability information.
1874
- - direct_purls: A list of direct package URLs.
1875
- - reached_purls: A list of reached package URLs.
1826
+ :param template: The CSAF data so far.
1827
+ :type template: dict
1828
+ :param pkg_vulnerabilities: The vulnerabilities to add.
1829
+ :type pkg_vulnerabilities: list
1876
1830
 
1877
- Returns:
1878
- - new_results: The modified data with added vulnerability information.
1831
+ :return: The modified data with added vulnerability information.
1832
+ :rtype: dict
1879
1833
  """
1880
- new_results = deepcopy(data)
1834
+ new_results = deepcopy(template)
1881
1835
  agg_score = set()
1882
1836
  severity_ref = {
1883
1837
  "CRITICAL": 1,
@@ -1887,29 +1841,10 @@ def add_vulnerabilities(data, results, direct_purls, reached_purls):
1887
1841
  "UNKNOWN": 5,
1888
1842
  "NONE": 6,
1889
1843
  }
1890
- affected_regex = re.compile(
1891
- r"(?P<lmod>[>=]{1,2})(?P<lower>\w+(?:.\w+)?(?:.\w+)?)-(?P<umod>[<=]{"
1892
- r"1,2})(?P<upper>\w+.(?:\w+.)?(?:\w+)?)",
1893
- re.IGNORECASE,
1894
- )
1895
- reached_dict = calculate_reached(reached_purls, direct_purls)
1896
-
1897
- for r in results:
1898
- c = CsafOccurence(r)
1899
- new_vuln = c.to_dict()
1900
- agg_score.add(severity_ref.get(c.severity, 5))
1901
- if c.search_string:
1902
- found = reached_dict.get(c.search_string)
1903
- if not found:
1904
- new_vuln["flags"] = [
1905
- {"label": "vulnerable_code_not_in_execute_path"}
1906
- ]
1907
- elif version_data := re.search(affected_regex, c.vrange):
1908
- if not version_helper(found, version_data.groupdict()):
1909
- new_vuln["flags"] = [
1910
- {"label": "vulnerable_code_not_in_execute_path"}
1911
- ]
1912
-
1844
+ for r in pkg_vulnerabilities:
1845
+ new_vuln = vdr_to_csaf(r)
1846
+ if sev := new_vuln["scores"][0]["cvss_v3"].get("baseSeverity"):
1847
+ agg_score.add(severity_ref.get(sev))
1913
1848
  new_results["vulnerabilities"].append(new_vuln)
1914
1849
  if agg_score := list(agg_score):
1915
1850
  agg_score.sort()
@@ -1921,62 +1856,3 @@ def add_vulnerabilities(data, results, direct_purls, reached_purls):
1921
1856
  new_results["document"]["aggregate_severity"] = {"text": agg_severity}
1922
1857
 
1923
1858
  return new_results
1924
-
1925
-
1926
- def calculate_reached(reached_purls, direct_purls):
1927
- """
1928
- Calculate the reached packages and their versions.
1929
-
1930
- This function takes two dictionaries, `reached_purls` and `direct_purls`, as
1931
- input. `reached_purls` contains the reached packages with their URLs, while
1932
- `direct_purls` contains the direct packages with their URLs. The function
1933
- calculates the reached packages and their versions by parsing the URLs.
1934
-
1935
- Parameters:
1936
- reached_purls (dict): A dictionary containing the reached packages with
1937
- their URLs.
1938
- direct_purls (dict): A dictionary containing the direct packages with
1939
- their URLs.
1940
-
1941
- Returns:
1942
- dict: A dictionary containing the reached packages as keys and a list
1943
- of versions as values.
1944
- """
1945
- reached_dict = {}
1946
- reached_regex = re.compile(
1947
- r"(?P<pkg>[^/]+/[^/]+)@(?P<version>\w+.(" r"?:\w+.)?(?:\w+)?)",
1948
- re.IGNORECASE,
1949
- )
1950
- for k in reached_purls.keys() | direct_purls.keys():
1951
- if result := re.search(reached_regex, k):
1952
- pkg = result["pkg"]
1953
- version = result["version"]
1954
- reached_dict.setdefault(pkg, []).append(version)
1955
- return reached_dict
1956
-
1957
-
1958
- def version_helper(reached, vdata):
1959
- """
1960
- Determines if the vulnerability includes the reached version.
1961
-
1962
- Args:
1963
- reached (list): Package versions that have been reached.
1964
- vdata (dict): A dictionary containing information about the
1965
- version range to be checked.
1966
- - `lower` (str): The lower bound of the version range.
1967
- - `lmod` (str): The lower bound modifier. Possible values are `">"`
1968
- and `">="`.
1969
- - `upper` (str): The upper bound of the version range.
1970
- - `umod` (str): The upper bound modifier. Possible values are `<"`
1971
- and `"<="`.
1972
-
1973
- Returns:
1974
- bool: True if the version `reached` satisfies the conditions specified
1975
- by `x`, False otherwise.
1976
- """
1977
- mie = vdata["lower"] if vdata["lmod"] != ">=" else None
1978
- mae = vdata["upper"] if vdata["umod"] != "<=" else None
1979
- return any(
1980
- version_compare(_, vdata["lower"], vdata["upper"], mie, mae)
1981
- for _ in reached
1982
- )